General
-
Target
SOA 22011~2302.zip
-
Size
564KB
-
Sample
230403-kg1e6adf73
-
MD5
ad6a82e1467192626a165a91fc3f70fa
-
SHA1
a780e048ef2e8092396ee4cb5afe3c4f5d42b267
-
SHA256
359aba069a1a5f72fa545ccdaf896ee30c395951032b5f1bcbb247550e363b6b
-
SHA512
12b40a36bf89162adb1de42c68268c176c7102ab695eefce8bd2c09b921ab2bd32e558645e254663300b026242d47a96284e13175b0fbaf2d9baa902b55d32cf
-
SSDEEP
12288:qHMmso67S9nf/vZKUffgN/gi+Mn501/no+E2KHqPVHxsnx6vpLSX:OVso6gXZrgBT+M501/w2aqPVHxs4pWX
Static task
static1
Behavioral task
behavioral1
Sample
SOA 22011~2302.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA 22011~2302.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/
Targets
-
-
Target
SOA 22011~2302.exe
-
Size
628KB
-
MD5
d3fea9f328fda4aacb4b5076701ce969
-
SHA1
fe23b935f871609c836b1b5cc4c598da2785f970
-
SHA256
45981fd05046a30bdeb47e1976b3eb1c82d445647213095ca17168e1eb35be7b
-
SHA512
5dd2d7c724c81af1e1be8ed9b29b7df5e77b6c1de9beea07849a8bc0beb9870dfcb22032ee6267ce490d827f5b0120cf38e0621e8a34ace7cdf844ed97a68943
-
SSDEEP
12288:4D/OVtLVzLwrm1SR9nSzvGvr8+MF561/To+E4eK9QCZ:iwSYvGvr8+M/61/k4l9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-