General

  • Target

    c88b3cef97d1415ec4c543a13ec4d35528b957797974637ade947e412ba7e720

  • Size

    651KB

  • Sample

    250701-e8dsksar8y

  • MD5

    13861ed06bd2a1b63f64654fed286d2e

  • SHA1

    d273244255cb7feae51b921e108177a0aaf409f9

  • SHA256

    c88b3cef97d1415ec4c543a13ec4d35528b957797974637ade947e412ba7e720

  • SHA512

    34625a865b9099f2f68004404439c57119a81332d1c5d73aaf7ea2c365554d584dcae05dca5fbb7ee967e3451911b49cb76aaf292c69952d95be7f1498502501

  • SSDEEP

    12288:78a0xpAai8zxd4zjUsRB2sy+ZAyzkp6kRl1AGqBCgngbrw6u7xnCJ7nfPho:r6I8zxdggTb9v1r+ngbe9nCJju

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.haliza.com.my
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    JesusChrist007$

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.haliza.com.my
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    JesusChrist007$

Targets

    • Target

      Payslip for June 2025_Transaction Ref#253006.pdf.exe

    • Size

      723KB

    • MD5

      135d01a0215fbd3400c4ebdf158d629e

    • SHA1

      ac217335a2b909a910a7e2f65c5ffd5cc4372b44

    • SHA256

      99d1f6ce99a8c07c33ee2dafe789299e0a51c2860882a2548c6e612606b1c1c1

    • SHA512

      6d8bbe5814d3348e6b3382f464ef74056edd706370aaf3f6c3324215dadcfb2884ff6c79d4d5969e7149d4434fdaa93425bb988525a78cb573a62e7144d10ff8

    • SSDEEP

      12288:F+iwMebaAii8zTd4djUERB2yy+ZwKzk96yRltAGqVC+ngbrw6u7xnt7IZUg:XuaG8zTh4gN1tvtrWngbm9n2Z

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks