General

  • Target

    22112024_0210_21112024_PO P24-1100.rar

  • Size

    539KB

  • Sample

    241122-cl65hayjeq

  • MD5

    5c9e2b5f7dad3f3cac99e1d0205b4972

  • SHA1

    44f392d08bef3f892f22416e7b82aaa68ce46e60

  • SHA256

    dbb51f7fc9f6d47ed12bbbfa63572d63b5a1063479918b503e3117725eb5e556

  • SHA512

    09225fc98b6aee59ffd4e5da02a2b83e520a31e3a2f1365d751bdc9151f17a4ed4d1668bdbd0d28d4253f4ffdf4e34db25e8e735f93408c89273967856e70dc5

  • SSDEEP

    12288:0Lw3vlOwZfK3XfraMoW/qk5zpowJdmlaYkJV7VeXOxgRQ:0U3xZqPr3owqEOImlNkJxVQOxgRQ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      PO P24-1100.exe

    • Size

      555KB

    • MD5

      d407b5bfa95d6549fceb3acd0a791c2b

    • SHA1

      f368052bae8505671cbdbab47acfe5994dc14417

    • SHA256

      11013cdd71339c3aac7041ef80912c8c03786f5967d58c539af0d560687089e8

    • SHA512

      bbf9d6687514842896fcdf6b29f12500c7b8c323e4f267ff3de3a328df4b4d2211cca320f653c4f01fcf3f766a0d3e9cd831a9de6691601e00a4cbe464a2075e

    • SSDEEP

      12288:nZQAgFdWlNesWPjcOfoahUHUMtK/Ib529tteCMXRaSykEHHPxjhWm:CAgyQPjcOfph0SELBaSyXPxUm

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks