General
-
Target
2771d19509020f26e66b8af84fd8b4af0e02ded04ba73bcb9b57987f7863975f
-
Size
157KB
-
Sample
240328-bme7qsce2y
-
MD5
fdd319fa7de7f43c93afdff04162281d
-
SHA1
6512ed74b9d7dc4d425f3652e39ff4691b09c5c8
-
SHA256
2771d19509020f26e66b8af84fd8b4af0e02ded04ba73bcb9b57987f7863975f
-
SHA512
b09231c91780d4b58226862d4a02a2f310b00375ed871efae6d761e97015ba412c9df9390efb3ef0f9fddcb912ab3c4032a1cda51fd7ee422324dab97e12777e
-
SSDEEP
1536:gwcgVKD5XghB2jm/w7ecwOJhv9lMuEqTIm4gKN2PqAqMX3ciIAnoejei:vXVKlM7dOJCuTKNhAqimAN6
Static task
static1
Behavioral task
behavioral1
Sample
2771d19509020f26e66b8af84fd8b4af0e02ded04ba73bcb9b57987f7863975f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2771d19509020f26e66b8af84fd8b4af0e02ded04ba73bcb9b57987f7863975f.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7178103238:AAFpcijMmYeMlJJVnAmpmroCaHuSs5YlbxU/
Extracted
xworm
127.0.0.1:5000
51.89.241.91:5000
-
Install_directory
%Public%
-
install_file
Adobe Cloud.exe
-
telegram
https://api.telegram.org/bot5474576959:AAEFEPb7hmHEmq_ZM_jasyYk46DECm44Sm0/sendMessage?chat_id=1412104349
Targets
-
-
Target
2771d19509020f26e66b8af84fd8b4af0e02ded04ba73bcb9b57987f7863975f
-
Size
157KB
-
MD5
fdd319fa7de7f43c93afdff04162281d
-
SHA1
6512ed74b9d7dc4d425f3652e39ff4691b09c5c8
-
SHA256
2771d19509020f26e66b8af84fd8b4af0e02ded04ba73bcb9b57987f7863975f
-
SHA512
b09231c91780d4b58226862d4a02a2f310b00375ed871efae6d761e97015ba412c9df9390efb3ef0f9fddcb912ab3c4032a1cda51fd7ee422324dab97e12777e
-
SSDEEP
1536:gwcgVKD5XghB2jm/w7ecwOJhv9lMuEqTIm4gKN2PqAqMX3ciIAnoejei:vXVKlM7dOJCuTKNhAqimAN6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1