General
-
Target
e9b47665c8a44e2b9be8a5c97300fda62e8a68320f3ffc26cf0e05287e4b6c33
-
Size
4.9MB
-
Sample
231212-cs2hlaefc3
-
MD5
bc3e3c11d6b450b06aa5e726dd90cb5d
-
SHA1
918e39399a05587bc186a52d019a91aa1cccb339
-
SHA256
e9b47665c8a44e2b9be8a5c97300fda62e8a68320f3ffc26cf0e05287e4b6c33
-
SHA512
d4343b6fe2da664c5d45a8eb6dfb5d65726105d5fe406fb549239ab24b66d8c58e5e97a70c974937939e04edabce7f5f405e518bc9ca00e8531decc0bcb3c6d8
-
SSDEEP
98304:dZSy5V7BxVDPF5yHApK+OkOV6am3l3QZ9s0mKQvQPG7PCoDlpF8XgmxoTCj:dZNXLyd+JOxmdY98vQPG7PCGHF8QCj
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6797507482:AAHJ8LYbNUMw7Y3bc6Qgeuc5Q3n-h2KBG50/
Targets
-
-
Target
R-30001-50154-A2-261-13-50-004_1-MR- ITEMS.exe
-
Size
8.8MB
-
MD5
bb44d815f6be23eca0d250c7c1022170
-
SHA1
66865fb7231feb1ec8fc8d22d94cdae48a08ac1b
-
SHA256
01b2af31da46484abe30d7395049066bb04bfac6ed42379f1f2c083a5e0faa3b
-
SHA512
c4fd043447e1005414c34191afe5dace81f25f3936f231985d2ae78f37e2034c11e91bab0b04b73ebd233c7c03a6a794be9c12cab028c94dd6003b783f6a963a
-
SSDEEP
98304:BzqpW2bJs8qDYteYW5oDhVrfQ/z0rKX1UD8c:BGpfJsRDZwDffQQmuQc
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
UAC bypass
-
Windows security bypass
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1