General
-
Target
2d1b6d667a4f7f038e4d5e73eef85b074f3758a4ad73097e3d7c17d9e79c5aeb
-
Size
667KB
-
Sample
240424-cfywyaeb46
-
MD5
22a9e1571551d0ed6b63633b491cce09
-
SHA1
598105c94d535d6e489585f18e9b0a8c7fea7c27
-
SHA256
2d1b6d667a4f7f038e4d5e73eef85b074f3758a4ad73097e3d7c17d9e79c5aeb
-
SHA512
07bb1be2d3ed491c9b5ac80801583ed1b04c5f05dfa9e3dbbf633bcfef7e2394c00b2a7600e593377b6e5bf83b6c6560e8a4fc47f583b37df05fe4e977a87178
-
SSDEEP
12288:scK1axNZRA9+4zqb7QiaBOUVKHKYCw5sdlGTsJN3TyJWcObPt+Or6vAVC2NtmUUR:jls+4zqnQHB1AHKy5sdlGTcN0WcOTxrc
Static task
static1
Behavioral task
behavioral1
Sample
2d1b6d667a4f7f038e4d5e73eef85b074f3758a4ad73097e3d7c17d9e79c5aeb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2d1b6d667a4f7f038e4d5e73eef85b074f3758a4ad73097e3d7c17d9e79c5aeb.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.a2zksa.com - Port:
587 - Username:
[email protected] - Password:
]Xw(w^vQ-{^2
Extracted
agenttesla
Protocol: smtp- Host:
mail.a2zksa.com - Port:
587 - Username:
[email protected] - Password:
]Xw(w^vQ-{^2 - Email To:
[email protected]
Targets
-
-
Target
2d1b6d667a4f7f038e4d5e73eef85b074f3758a4ad73097e3d7c17d9e79c5aeb
-
Size
667KB
-
MD5
22a9e1571551d0ed6b63633b491cce09
-
SHA1
598105c94d535d6e489585f18e9b0a8c7fea7c27
-
SHA256
2d1b6d667a4f7f038e4d5e73eef85b074f3758a4ad73097e3d7c17d9e79c5aeb
-
SHA512
07bb1be2d3ed491c9b5ac80801583ed1b04c5f05dfa9e3dbbf633bcfef7e2394c00b2a7600e593377b6e5bf83b6c6560e8a4fc47f583b37df05fe4e977a87178
-
SSDEEP
12288:scK1axNZRA9+4zqb7QiaBOUVKHKYCw5sdlGTsJN3TyJWcObPt+Or6vAVC2NtmUUR:jls+4zqnQHB1AHKy5sdlGTcN0WcOTxrc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1