General

  • Target

    SOA Feb-March 2023.bat

  • Size

    1.3MB

  • Sample

    230331-h7srwsac6z

  • MD5

    9f8f23997c4e07be88d8dbe835c8b6ed

  • SHA1

    9f40b97b7e1605b05174a6547b9ff470511d5a1f

  • SHA256

    a354101aa8c8db6f2b337ebc68571edd296d374ad8a99f79fd62d2c07321993e

  • SHA512

    5c0660381331a47163f7cd4e1e87c156966dd8c068d852073429523d29e92c934f3de381a7bd8e6cf1efaf94b21864c91c620b850e93c2399ccef476d8228586

  • SSDEEP

    24576:VXdQ7L0Et7plPQaneOkwJzHqOoLokXb184bQM9w5WpFapcq+14kEKaQ8wV9GtnR:KznmW1VH9w2S4QPGr

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/

Targets

    • Target

      SOA Feb-March 2023.bat

    • Size

      1.3MB

    • MD5

      9f8f23997c4e07be88d8dbe835c8b6ed

    • SHA1

      9f40b97b7e1605b05174a6547b9ff470511d5a1f

    • SHA256

      a354101aa8c8db6f2b337ebc68571edd296d374ad8a99f79fd62d2c07321993e

    • SHA512

      5c0660381331a47163f7cd4e1e87c156966dd8c068d852073429523d29e92c934f3de381a7bd8e6cf1efaf94b21864c91c620b850e93c2399ccef476d8228586

    • SSDEEP

      24576:VXdQ7L0Et7plPQaneOkwJzHqOoLokXb184bQM9w5WpFapcq+14kEKaQ8wV9GtnR:KznmW1VH9w2S4QPGr

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Detected potential entity reuse from brand microsoft.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Hidden Files and Directories

2
T1158

Defense Evasion

Hidden Files and Directories

2
T1158

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks