General
-
Target
9aaaf2ed790b906c51da7d1707224d6df6b9399bd9d676b625d8497cb84aeb0f
-
Size
693KB
-
Sample
240330-bg95xsec99
-
MD5
09c6ed822b760748faec7929479a6404
-
SHA1
762e8e384d854218a78a57acc50c64bdea108219
-
SHA256
9aaaf2ed790b906c51da7d1707224d6df6b9399bd9d676b625d8497cb84aeb0f
-
SHA512
7e13d0e751bc3f3ab663c74a6217f8abea1efe1ef5cda2dc302e8a199eaaa7f0e1d109087deea8dc8e9e39ba51658083351b097e4a2ac79857997ea37819aabe
-
SSDEEP
12288:qwLK1Cx+xuuZ2V/qI5RVD7ML7LrIIU5kJ6onhk/0fAkW+/DWkR:qwiG+wuk/RRxwDU5kQqbxJ
Static task
static1
Behavioral task
behavioral1
Sample
9aaaf2ed790b906c51da7d1707224d6df6b9399bd9d676b625d8497cb84aeb0f.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9aaaf2ed790b906c51da7d1707224d6df6b9399bd9d676b625d8497cb84aeb0f.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.scannerhacker.com - Port:
587 - Username:
[email protected] - Password:
VH%xMhCW$I[l
Extracted
agenttesla
Protocol: smtp- Host:
mail.scannerhacker.com - Port:
587 - Username:
[email protected] - Password:
VH%xMhCW$I[l - Email To:
[email protected]
Targets
-
-
Target
9aaaf2ed790b906c51da7d1707224d6df6b9399bd9d676b625d8497cb84aeb0f
-
Size
693KB
-
MD5
09c6ed822b760748faec7929479a6404
-
SHA1
762e8e384d854218a78a57acc50c64bdea108219
-
SHA256
9aaaf2ed790b906c51da7d1707224d6df6b9399bd9d676b625d8497cb84aeb0f
-
SHA512
7e13d0e751bc3f3ab663c74a6217f8abea1efe1ef5cda2dc302e8a199eaaa7f0e1d109087deea8dc8e9e39ba51658083351b097e4a2ac79857997ea37819aabe
-
SSDEEP
12288:qwLK1Cx+xuuZ2V/qI5RVD7ML7LrIIU5kJ6onhk/0fAkW+/DWkR:qwiG+wuk/RRxwDU5kQqbxJ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1