General
-
Target
674fa52447b11181b67a93faa3d80bff135855d586a2a4a85e0b7c5971a7b97c
-
Size
583KB
-
Sample
241129-grgh9avnfm
-
MD5
3a06923393e06715185259566f46e9d9
-
SHA1
12ff7ae21beaf53a2b27b8318693e15f8b5211a2
-
SHA256
674fa52447b11181b67a93faa3d80bff135855d586a2a4a85e0b7c5971a7b97c
-
SHA512
f175f408722b2de535645a9e9aeb470efe498f7ba825e4665208f896ca58f89f01b2a2908ed359bfcf2c0daf496e15d7114b781b5c2d2a927cd3cfce5d897797
-
SSDEEP
12288:2gVkig+y+z6uQg2D+0Pl8bS47ZB3rt1ZB8r+I/b9u5eatDGLZ:fv7Rc/r9r4zZqr7aeaZOZ
Static task
static1
Behavioral task
behavioral1
Sample
LEVER STYLE SEP BUY ORDER & C248SH12.exe
Resource
win7-20240903-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
Asaprocky11 - Email To:
[email protected]
Targets
-
-
Target
LEVER STYLE SEP BUY ORDER & C248SH12.exe
-
Size
589KB
-
MD5
d7b31fb164449abc4ebba1da9f9db871
-
SHA1
3e8fd347bb725ff93cb63889596ca9d9a70ed78a
-
SHA256
b3a75b451a2ed180163105fdb42a677a1f124de62a989326766d63a614f905d2
-
SHA512
531737e285cfc045fefed2d095011565f6960b9dfa2469f6b274a172bc5fe19c46db207b66e62cdeed3a0d2661d75a572a491b38fc20a0d77f8c0e36d1ba47ad
-
SSDEEP
12288:xKP3YgVkigAyoz2AQ82B+0HlIbO47ZBBrtjZlQr+I3bTu5eaLDGLi:xA3YovntsTNF54XZmr5aeafOi
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2