General

  • Target

    674fa52447b11181b67a93faa3d80bff135855d586a2a4a85e0b7c5971a7b97c

  • Size

    583KB

  • Sample

    241129-grgh9avnfm

  • MD5

    3a06923393e06715185259566f46e9d9

  • SHA1

    12ff7ae21beaf53a2b27b8318693e15f8b5211a2

  • SHA256

    674fa52447b11181b67a93faa3d80bff135855d586a2a4a85e0b7c5971a7b97c

  • SHA512

    f175f408722b2de535645a9e9aeb470efe498f7ba825e4665208f896ca58f89f01b2a2908ed359bfcf2c0daf496e15d7114b781b5c2d2a927cd3cfce5d897797

  • SSDEEP

    12288:2gVkig+y+z6uQg2D+0Pl8bS47ZB3rt1ZB8r+I/b9u5eatDGLZ:fv7Rc/r9r4zZqr7aeaZOZ

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      LEVER STYLE SEP BUY ORDER & C248SH12.exe

    • Size

      589KB

    • MD5

      d7b31fb164449abc4ebba1da9f9db871

    • SHA1

      3e8fd347bb725ff93cb63889596ca9d9a70ed78a

    • SHA256

      b3a75b451a2ed180163105fdb42a677a1f124de62a989326766d63a614f905d2

    • SHA512

      531737e285cfc045fefed2d095011565f6960b9dfa2469f6b274a172bc5fe19c46db207b66e62cdeed3a0d2661d75a572a491b38fc20a0d77f8c0e36d1ba47ad

    • SSDEEP

      12288:xKP3YgVkigAyoz2AQ82B+0HlIbO47ZBBrtjZlQr+I3bTu5eaLDGLi:xA3YovntsTNF54XZmr5aeafOi

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks