General
-
Target
AYF00675.lnk
-
Size
1KB
-
Sample
231207-jgd2gshhel
-
MD5
92cff55b70b6556b395300de968521fc
-
SHA1
4bfccd1a6dc2a775a497074caecf25386dab49fb
-
SHA256
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d
-
SHA512
7b59f385a7bacba7a87479837218f1399894480f2b4ae60811d0c4ec180cfbfde6170ecb0b369f4dd0cd75af02a216b5659e714d7c53d439394664505a9311fe
Static task
static1
Behavioral task
behavioral1
Sample
AYF00675.lnk
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
AYF00675.lnk
Resource
win10v2004-20231127-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6184846740:AAFy48QnJEpbqT9DY_xx392kz1tH5_khlWo/
Targets
-
-
Target
AYF00675.lnk
-
Size
1KB
-
MD5
92cff55b70b6556b395300de968521fc
-
SHA1
4bfccd1a6dc2a775a497074caecf25386dab49fb
-
SHA256
d3ab1b047a1ee9985c00c95cd4d205f79bdf47ade1f18ee30ec9d88a58cb133d
-
SHA512
7b59f385a7bacba7a87479837218f1399894480f2b4ae60811d0c4ec180cfbfde6170ecb0b369f4dd0cd75af02a216b5659e714d7c53d439394664505a9311fe
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-