General
-
Target
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
-
Size
956KB
-
Sample
241122-w1n21swjez
-
MD5
56507d8fc1346411ed4fdbecb4589ec8
-
SHA1
a7d542484247819e9037cbd913b8ad1b68b0dad6
-
SHA256
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
-
SHA512
c31e23a032d3551bb17a5bbfdff585ec57f308397739b807c08b082513d63c1984d8cf0a4cd65c2f0863e6ebec0766f161abe6a8860c65a1e44619097cb77e7b
-
SSDEEP
12288:9csCELA+12Hd5lpvS36pDfi/xN3xoAS4zxPVzxWWavQ8qiNRJEvhsEY72k2uDF+d:rzxdzxWpq8JE9ePD47tdTmTX
Static task
static1
Behavioral task
behavioral1
Sample
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40.exe
Resource
win7-20240903-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Extracted
Protocol: ftp- Host:
beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Targets
-
-
Target
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
-
Size
956KB
-
MD5
56507d8fc1346411ed4fdbecb4589ec8
-
SHA1
a7d542484247819e9037cbd913b8ad1b68b0dad6
-
SHA256
ad3517d5640b93e40bc1e839f6616222801d06dd83ed5887462a71f3858f5b40
-
SHA512
c31e23a032d3551bb17a5bbfdff585ec57f308397739b807c08b082513d63c1984d8cf0a4cd65c2f0863e6ebec0766f161abe6a8860c65a1e44619097cb77e7b
-
SSDEEP
12288:9csCELA+12Hd5lpvS36pDfi/xN3xoAS4zxPVzxWWavQ8qiNRJEvhsEY72k2uDF+d:rzxdzxWpq8JE9ePD47tdTmTX
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1