General
-
Target
QUOTATION 2244 - METITO OVERSEAS_ LPO 021022168 AMND 01.exe
-
Size
723KB
-
Sample
250701-gnlc2a1vhx
-
MD5
135d01a0215fbd3400c4ebdf158d629e
-
SHA1
ac217335a2b909a910a7e2f65c5ffd5cc4372b44
-
SHA256
99d1f6ce99a8c07c33ee2dafe789299e0a51c2860882a2548c6e612606b1c1c1
-
SHA512
6d8bbe5814d3348e6b3382f464ef74056edd706370aaf3f6c3324215dadcfb2884ff6c79d4d5969e7149d4434fdaa93425bb988525a78cb573a62e7144d10ff8
-
SSDEEP
12288:F+iwMebaAii8zTd4djUERB2yy+ZwKzk96yRltAGqVC+ngbrw6u7xnt7IZUg:XuaG8zTh4gN1tvtrWngbm9n2Z
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION 2244 - METITO OVERSEAS_ LPO 021022168 AMND 01.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
QUOTATION 2244 - METITO OVERSEAS_ LPO 021022168 AMND 01.exe
Resource
win11-20250619-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.haliza.com.my - Port:
21 - Username:
[email protected] - Password:
JesusChrist007$
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.haliza.com.my - Port:
21 - Username:
[email protected] - Password:
JesusChrist007$
Targets
-
-
Target
QUOTATION 2244 - METITO OVERSEAS_ LPO 021022168 AMND 01.exe
-
Size
723KB
-
MD5
135d01a0215fbd3400c4ebdf158d629e
-
SHA1
ac217335a2b909a910a7e2f65c5ffd5cc4372b44
-
SHA256
99d1f6ce99a8c07c33ee2dafe789299e0a51c2860882a2548c6e612606b1c1c1
-
SHA512
6d8bbe5814d3348e6b3382f464ef74056edd706370aaf3f6c3324215dadcfb2884ff6c79d4d5969e7149d4434fdaa93425bb988525a78cb573a62e7144d10ff8
-
SSDEEP
12288:F+iwMebaAii8zTd4djUERB2yy+ZwKzk96yRltAGqVC+ngbrw6u7xnt7IZUg:XuaG8zTh4gN1tvtrWngbm9n2Z
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1