General
-
Target
a7f4fe04262eb9349b0d95e6638903622f2348d8a197b5eb8937fc4eb1be1174
-
Size
690KB
-
Sample
240424-br35csde9x
-
MD5
5f3fd22657bf0adfc057647d37085731
-
SHA1
2dbb0499f14d803b4f7f38064703783a0c55feec
-
SHA256
a7f4fe04262eb9349b0d95e6638903622f2348d8a197b5eb8937fc4eb1be1174
-
SHA512
b2ccfda801941d9973eee76bc0dd83a1ab29fd272bc0b9e7890bb8e04ceda6689755e841f11b59d9e1fdbf60c73dfe06850d076be8fdf89db71192a8cdad09ea
-
SSDEEP
12288:vPNpjsvRaQaeIzsVYem3KRl8j5mrAbSk2/m00UfVjo9zp84RagOUU:nNpjCbae9/mWlm+AYm072yqaBUU
Static task
static1
Behavioral task
behavioral1
Sample
a7f4fe04262eb9349b0d95e6638903622f2348d8a197b5eb8937fc4eb1be1174.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7f4fe04262eb9349b0d95e6638903622f2348d8a197b5eb8937fc4eb1be1174.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7144925531:AAFj5KN4HiQlwcqqHICdvh7iOOg5_U7HmZs/
Targets
-
-
Target
a7f4fe04262eb9349b0d95e6638903622f2348d8a197b5eb8937fc4eb1be1174
-
Size
690KB
-
MD5
5f3fd22657bf0adfc057647d37085731
-
SHA1
2dbb0499f14d803b4f7f38064703783a0c55feec
-
SHA256
a7f4fe04262eb9349b0d95e6638903622f2348d8a197b5eb8937fc4eb1be1174
-
SHA512
b2ccfda801941d9973eee76bc0dd83a1ab29fd272bc0b9e7890bb8e04ceda6689755e841f11b59d9e1fdbf60c73dfe06850d076be8fdf89db71192a8cdad09ea
-
SSDEEP
12288:vPNpjsvRaQaeIzsVYem3KRl8j5mrAbSk2/m00UfVjo9zp84RagOUU:nNpjCbae9/mWlm+AYm072yqaBUU
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1