General
-
Target
PO-000001376_1.rar
-
Size
561KB
-
Sample
250328-qlhzkawxax
-
MD5
34fb04f9553c8a6479500bc158801e0f
-
SHA1
0f323e0152449f209f86a3424ae86dd8a11ae84d
-
SHA256
16055416a11eb8ab5c14792e9c76bf8201fb717aea1cbf397b3cad40b0c72fd5
-
SHA512
e6dd6fc22188f0989b595d4e503d596c47de4be35557a7c64be0af4ef2318c03010e6304fa84e3a9391ab4ea568ee53ce125005433162480ad232a486c550ec4
-
SSDEEP
12288:J7FfMoNEw9Z9RC5e3iiTnKGU5bQgrFG84iDYFkvU19yIRQoh:zfM0/45e3i8KGzkFGY7aUIth
Static task
static1
Behavioral task
behavioral1
Sample
PO-000001376.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PO-000001376.exe
Resource
win10v2004-20250314-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mbarieservicesltd.com - Port:
587 - Username:
saless@mbarieservicesltd.com - Password:
*o9H+18Q4%;M - Email To:
iinfo@mbarieservicesltd.com
Targets
-
-
Target
PO-000001376.exe
-
Size
678KB
-
MD5
5cdffbc158d92ba63a98e4c66993b9d3
-
SHA1
63fa640b24994bdb7ffa0ef894582aef7c7a4ed8
-
SHA256
4b669a9882308c41461e55b5c429cad387b139f10c73bf23bf4181a6b42544f9
-
SHA512
d327a71a7bdaf9ef5740897010bec764cd16834ac5287e49406ff712e568724f6cd3bf5d856233ba1d89edbb6e6de2fa36ed0861d84db4958c896b223c25b0ff
-
SSDEEP
12288:pEX9fTePp7Vf59KrK/NduOlBh65jK9NWPVUfmt3vOFRCtNT1x0G:eX9f6pxf59eKNXzweAPmAMCt3O
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1