General
-
Target
ecc30cb35f833890b5065d1c2459c7e615b4bcd74a88beb673a7f37522b87166
-
Size
634KB
-
Sample
250124-bmm8casmby
-
MD5
953964ca6d36acc0ddd33cd2f29512c9
-
SHA1
cd90308129813c62d2ae5278f3c19e89561bda46
-
SHA256
ecc30cb35f833890b5065d1c2459c7e615b4bcd74a88beb673a7f37522b87166
-
SHA512
00df68e5a9b7340e43200fe3017632c987e42210e53e35c6cbbcce03a90b8db3e34ee8ffac29673e6486f3c659931008e6709dde8d0b663f32379fcd45643475
-
SSDEEP
12288:kf3md5nJYTl69d6UUNTlLJ8cUE83DmhlzTMvChs4tRiWshOhmo9j/ztBx5s:kfknWl7UUjVDUn3ahXhs4NhB/s
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.magnatextile.com - Port:
587 - Username:
[email protected] - Password:
ow%{&}mti{&}$is - Email To:
[email protected]
Targets
-
-
Target
Shipping documents.exe
-
Size
747KB
-
MD5
02786bcac1e68f432a07866844b0fc16
-
SHA1
74c1c6618d49793e70f0e6221aa844b221dd28bf
-
SHA256
01623046d87fa76ea3f656370cd71a69c7f53dfa3d9bc8aa379ea12f43b6dde4
-
SHA512
932c2ed9ca4848c954d6507811e3f0bc38661cac4d77d5daec42a1712a3f23f8a736a2f774f18b310eb40edf85d58e782e7864a5dd976c9e9124605a636aa48b
-
SSDEEP
12288:nDFtN/ybfNTlLJpgxDchlzbMvs5s4tPh0RLZOi72F:nDdOjVpiEhX5s4C9a
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1