General

  • Target

    0c12ad85d9b46dd1b9923ffd977244fa3a4a46612f38e6edee40fb36d8243ea1.iso

  • Size

    700KB

  • Sample

    241122-ch2qlsxrfn

  • MD5

    577d081b724a55442e2f137d2ebad7ef

  • SHA1

    34827c7b6f4124a90056f04eda51cbafcb929ead

  • SHA256

    0c12ad85d9b46dd1b9923ffd977244fa3a4a46612f38e6edee40fb36d8243ea1

  • SHA512

    78f0f8171d8f9ef2d37cc912602178769a131bed8fec39773d8b0065afa4676e4fe96995fc1fbf8a138e406ffa0e77e66690daafa60a227e3978ab35082f0be1

  • SSDEEP

    12288:77AgFdeiGKC0uCejzi9UhkL8WYCUeBhQi5UX9aLmmf5jq5XX2sMMnQ4HwXYJ:/AgeizWCeW94WYCnCEmi25H2OQ4QI

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    marcellinus360

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      datasheet.exe

    • Size

      639KB

    • MD5

      27270bf6a969355e90e16289379cd6d1

    • SHA1

      913f562df18cf266c3ae94605cce6c3ce084d472

    • SHA256

      7292590b86e83ca5c6993b8c56578740d1f066c91baf3d95bee2bd34d9153f15

    • SHA512

      814bec3009c19a298737385b783654110230cf902da1ebf18e2ad697901c884f8cf3f635979659ceedfa17aa5b79aa1b0860316baa2499b589d1586673730780

    • SSDEEP

      12288:O7AgFdeiGKC0uCejzi9UhkL8WYCUeBhQi5UX9aLmmf5jq5XX2sMMnQ4HwXYJ:KAgeizWCeW94WYCnCEmi25H2OQ4QI

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks