General
-
Target
tmp
-
Size
340KB
-
Sample
240327-zfvwlsbf33
-
MD5
845971e68786f9c59ad9e4d5b7a2b1fe
-
SHA1
619a41e8a05c9f1f8aa56684e6578f9efd2acf0f
-
SHA256
e749697baf047ee9b5261865ffb43b8b92e77288f9d764798d00c2fd685ca573
-
SHA512
c00e5cc5bc66c3ef5e078330aa26d5a6c29cd76c611418c3bf16e6f1d25693974757e97cd689c7a587d9a3c4ddecf6c90bd8be7f7015d082987cdc6e1683400b
-
SSDEEP
6144:c8k80ckeOTFIdzXdVufRrLivwburclAp07IdY:c8k80ckeaId65LswburcypJ
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7178103238:AAFpcijMmYeMlJJVnAmpmroCaHuSs5YlbxU/
Extracted
xworm
127.0.0.1:5000
51.89.241.91:5000
-
Install_directory
%Public%
-
install_file
Adobe Cloud.exe
-
telegram
https://api.telegram.org/bot5474576959:AAEFEPb7hmHEmq_ZM_jasyYk46DECm44Sm0/sendMessage?chat_id=1412104349
Targets
-
-
Target
tmp
-
Size
340KB
-
MD5
845971e68786f9c59ad9e4d5b7a2b1fe
-
SHA1
619a41e8a05c9f1f8aa56684e6578f9efd2acf0f
-
SHA256
e749697baf047ee9b5261865ffb43b8b92e77288f9d764798d00c2fd685ca573
-
SHA512
c00e5cc5bc66c3ef5e078330aa26d5a6c29cd76c611418c3bf16e6f1d25693974757e97cd689c7a587d9a3c4ddecf6c90bd8be7f7015d082987cdc6e1683400b
-
SSDEEP
6144:c8k80ckeOTFIdzXdVufRrLivwburclAp07IdY:c8k80ckeaId65LswburcypJ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1