General

  • Target

    DATASHEETPRWPPENGASOL020322-SDVCONTROLVALVE.iso

  • Size

    874KB

  • Sample

    241129-k2wygaskgj

  • MD5

    7bdb8e3638494681dbd6965b4921cbc3

  • SHA1

    358c78a3064de4a84970a9feedcf5513d53b5687

  • SHA256

    af4553569f10b91a412c5630400d8233caef860375540961f41b62fdd09213c1

  • SHA512

    78667d8e779a59210ef14a253bfafe50569cd58ddff4f7a5b1c1c6fa2fca1be2ed88ad623ab4a636efe3a6e9a528fc5e1f555e5eb4dcb37239924ade34462c87

  • SSDEEP

    24576:xo1zGdLTJ0B12HCLU+Ntglo/q+az9mTUxj:xems124ulqq+aRn

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      DATASHEET PR WPPENGASOL 020322-SDV CONTROL VALVE.exe

    • Size

      812KB

    • MD5

      c083ab67c959bb95ac8b68e3866990eb

    • SHA1

      d49d12d76950b53b5db1c83302b13653f4c5ca9b

    • SHA256

      0c2b559eb5283a70cd049b9feb500077ed327daeeddce69b9491f92e721cb14e

    • SHA512

      6b49ea330badcb67328566ee0f6b5e1d98cf489cba42aadec7be251657f4196b88a1efdd0b6589c09f22731e9d3659f0e1a74081aade31b5366b16a493aa9e6b

    • SSDEEP

      24576:Ho1zGdLTJ0B12HCLU+Ntglo/q+az9mTUxj:Hems124ulqq+aRn

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks