General

  • Target

    01072025_0542_27062025_SOA_Ref00696006.7z

  • Size

    318KB

  • Sample

    250701-geda3aen91

  • MD5

    1a2ad57ed896396db3292c97d33f45c0

  • SHA1

    337bf9ef6773741c1133b60666ebf17a1a5a683d

  • SHA256

    1388839ee060ec5d708953d5f2cdc837203856b49ffa1b81bc77e910b50316b1

  • SHA512

    9c4a0f2a860f516916368209e160883b05b151c90185adaef62dab385695e4fe0d1e5709e82b3558c357a030c73ace0d4d0c8d8d6a09d10863570793bc604cef

  • SSDEEP

    6144:gfNSVgu2/JPzyMRBk9ZfDCSpiZ7TkeRfnwAyTSA0gYYTh+CHwM5mYWQigF:yNSVguQ5ZBE9DAZ7zuTL/9DQM5jWQim

Malware Config

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      SOA_Ref00696006.vbs

    • Size

      1.8MB

    • MD5

      40eb547cf5b595c44dc422a30ce46275

    • SHA1

      8ab503b56691b87d48a3686ef78a82b259497b8b

    • SHA256

      df2b737329ae7cb4cbf012a8cf989621faa7233f3cb21327640010543b2c60d9

    • SHA512

      a256c4fbbc7be40e4e2d4cdf7df1ec194df17e8e54b6e0744fc86800cd2caa5b452dd7761d231db6968f59fe4beaaa2bafaca881ae89ffd857c62494e9b78867

    • SSDEEP

      49152:FrnieFsARDzFzKVzTfjF8B9TA5za5ibhZ/XTLUp0TRW:f

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks