General
-
Target
2da9543a96dc5ca68af4c2e095e21f49
-
Size
1.7MB
-
Sample
221125-dz7hvsha39
-
MD5
2da9543a96dc5ca68af4c2e095e21f49
-
SHA1
2b48017b795efe9c9dc0f2df7ae8bb79141506c5
-
SHA256
e7be55c53cc03e17484068b1f69f6b2091f9cfe105480b9595f30bb557112f14
-
SHA512
e22e59c80641929d192493b8bd000fbf92c063b592d6725d3f85c276eaaa5bfb72e350eb7e42c88d8daff486cc188ab430647237dc7ececf7d75d03c3dff62b2
-
SSDEEP
12288:QnjoopN3RLxQLVX9Kr09aFwSVnWZQzjFeM6DJOjB9sTTHy0y0UK0jWSJSmQhVW8K:kRLxQLJ9KvVnYQb6VOwyrJuWXS5
Static task
static1
Behavioral task
behavioral1
Sample
2da9543a96dc5ca68af4c2e095e21f49.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
2da9543a96dc5ca68af4c2e095e21f49.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5655543251:AAF6zs8TWZ5wmyQhXrUZEpQjh6VaOy-aYoQ/
Extracted
wshrat
http://snkcyp.duckdns.org:44147
Targets
-
-
Target
2da9543a96dc5ca68af4c2e095e21f49
-
Size
1.7MB
-
MD5
2da9543a96dc5ca68af4c2e095e21f49
-
SHA1
2b48017b795efe9c9dc0f2df7ae8bb79141506c5
-
SHA256
e7be55c53cc03e17484068b1f69f6b2091f9cfe105480b9595f30bb557112f14
-
SHA512
e22e59c80641929d192493b8bd000fbf92c063b592d6725d3f85c276eaaa5bfb72e350eb7e42c88d8daff486cc188ab430647237dc7ececf7d75d03c3dff62b2
-
SSDEEP
12288:QnjoopN3RLxQLVX9Kr09aFwSVnWZQzjFeM6DJOjB9sTTHy0y0UK0jWSJSmQhVW8K:kRLxQLJ9KvVnYQb6VOwyrJuWXS5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
WSHRAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-