General
-
Target
34bf379cdc9e09d6719b6ea649c0a3db605839dae82de4a0aacf2968c3d3e817
-
Size
2.0MB
-
Sample
231201-g3n3gafe8z
-
MD5
dbbe578c63c1e335548fe16d720a9ed8
-
SHA1
fa25f462ca1ef7b6641ed2ce2ef06edc029ad79d
-
SHA256
34bf379cdc9e09d6719b6ea649c0a3db605839dae82de4a0aacf2968c3d3e817
-
SHA512
d3a3d35f126c8a4dad6327b1e01e2e299bede6f41cf15015822ef820ac3150a5522f71180091024bfbd5ff578fce2c66dd9979df23acefe9fe312861ccb24f15
-
SSDEEP
24576:6W+sHP1CVMeh7ytwrMJwprtc6JUYDNgWrmyADoHhKKxh272cvZ/i7oKqVtRluJXO:xB1CGGcHOTDB00ZDs+uF4CM38
Static task
static1
Behavioral task
behavioral1
Sample
34bf379cdc9e09d6719b6ea649c0a3db605839dae82de4a0aacf2968c3d3e817.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
34bf379cdc9e09d6719b6ea649c0a3db605839dae82de4a0aacf2968c3d3e817.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.karthikagro.in - Port:
587 - Username:
[email protected] - Password:
Yenks@0910 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.karthikagro.in - Port:
587 - Username:
[email protected] - Password:
Yenks@0910
Targets
-
-
Target
34bf379cdc9e09d6719b6ea649c0a3db605839dae82de4a0aacf2968c3d3e817
-
Size
2.0MB
-
MD5
dbbe578c63c1e335548fe16d720a9ed8
-
SHA1
fa25f462ca1ef7b6641ed2ce2ef06edc029ad79d
-
SHA256
34bf379cdc9e09d6719b6ea649c0a3db605839dae82de4a0aacf2968c3d3e817
-
SHA512
d3a3d35f126c8a4dad6327b1e01e2e299bede6f41cf15015822ef820ac3150a5522f71180091024bfbd5ff578fce2c66dd9979df23acefe9fe312861ccb24f15
-
SSDEEP
24576:6W+sHP1CVMeh7ytwrMJwprtc6JUYDNgWrmyADoHhKKxh272cvZ/i7oKqVtRluJXO:xB1CGGcHOTDB00ZDs+uF4CM38
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2