General
-
Target
7botYDIX478qQdk.exe
-
Size
694KB
-
Sample
221205-r9we8saf23
-
MD5
2daffeb4bfe82105ae4f2a8a0285e452
-
SHA1
fd74adbc0716f2039cd16eaec2f6e91f968c0973
-
SHA256
bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a
-
SHA512
1c9b71a1b40c927b52a09deeaf506cff3ec799220344bca3f114208f041672869c927b0faabb700c69e41445590f3c65fad6b40446e1b8d54c761504e1725736
-
SSDEEP
12288:R5PuYd+V6b1momPZefRtOR9t0+6CUPsK2XUDZXipyKLBWeiOxJuui80tPuYd+V6b:bPuYd+V6bIomxiRYRL0+6Ctp2XipNvu7
Static task
static1
Behavioral task
behavioral1
Sample
7botYDIX478qQdk.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
7botYDIX478qQdk.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5453942321:AAF6CS9julQ6K7s5pxacNALwWJ2A52D0EC4/
Targets
-
-
Target
7botYDIX478qQdk.exe
-
Size
694KB
-
MD5
2daffeb4bfe82105ae4f2a8a0285e452
-
SHA1
fd74adbc0716f2039cd16eaec2f6e91f968c0973
-
SHA256
bd9e8e98b57be42915462ea8282987ebe17d779ead3d4c6461ec9e4d59150b3a
-
SHA512
1c9b71a1b40c927b52a09deeaf506cff3ec799220344bca3f114208f041672869c927b0faabb700c69e41445590f3c65fad6b40446e1b8d54c761504e1725736
-
SSDEEP
12288:R5PuYd+V6b1momPZefRtOR9t0+6CUPsK2XUDZXipyKLBWeiOxJuui80tPuYd+V6b:bPuYd+V6bIomxiRYRL0+6Ctp2XipNvu7
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-