General
-
Target
e222d75a33fff327ec1254811a7304797c289cdfb30be9fe11013bbb40c7aa5d
-
Size
726KB
-
Sample
240428-bl2pcacf98
-
MD5
126f918e50102b724bc12bc368659c26
-
SHA1
b42dbabdd6fa6fae98642dd4d3619daf8e26e960
-
SHA256
e222d75a33fff327ec1254811a7304797c289cdfb30be9fe11013bbb40c7aa5d
-
SHA512
1093165e4bb2ddc0db24ec235babe843dcf82d9e8e20cfbc6e320af509b99dd0337a17a8b8862777df8621ec218f020565f30ae86dc34c0c78cd2ae525df1177
-
SSDEEP
12288:YWYIPXjxannnHg2ahnN4vbcUNl9P7ytOH3utm0eULAZC+yGvk2YPmI1:YWYIPFannnHg240lwQCmsAZp5vCL1
Static task
static1
Behavioral task
behavioral1
Sample
e222d75a33fff327ec1254811a7304797c289cdfb30be9fe11013bbb40c7aa5d.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
e222d75a33fff327ec1254811a7304797c289cdfb30be9fe11013bbb40c7aa5d.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7102823318:AAHAsxGnWgIMglBwmkDdZmvCKtYHywBY4Bc/
Targets
-
-
Target
e222d75a33fff327ec1254811a7304797c289cdfb30be9fe11013bbb40c7aa5d
-
Size
726KB
-
MD5
126f918e50102b724bc12bc368659c26
-
SHA1
b42dbabdd6fa6fae98642dd4d3619daf8e26e960
-
SHA256
e222d75a33fff327ec1254811a7304797c289cdfb30be9fe11013bbb40c7aa5d
-
SHA512
1093165e4bb2ddc0db24ec235babe843dcf82d9e8e20cfbc6e320af509b99dd0337a17a8b8862777df8621ec218f020565f30ae86dc34c0c78cd2ae525df1177
-
SSDEEP
12288:YWYIPXjxannnHg2ahnN4vbcUNl9P7ytOH3utm0eULAZC+yGvk2YPmI1:YWYIPFannnHg240lwQCmsAZp5vCL1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1