General
-
Target
23c13d6f65cc5d8d2e96dcc5fa900a3eec93838c69ae05dbd46ec450ed2ee530
-
Size
662KB
-
Sample
240424-chcrgseb2s
-
MD5
97271456981e2f3521ee0473858341e4
-
SHA1
4dc363b11d45dc8b6099f6f3a7ae56ac56d58b3e
-
SHA256
23c13d6f65cc5d8d2e96dcc5fa900a3eec93838c69ae05dbd46ec450ed2ee530
-
SHA512
5377c6cac468e6801f49bd7518c57c21d3c758b08a6a1211abf7865a850e69172a8f464d3b23201fd978e92ddc87eb6b04101755eef76ce9c89d4c5a3bf76d41
-
SSDEEP
12288:2cK1tQNZRAGIzSzGx/zjdveKHg63/DgwynKA6PqdK4Oca6e5sqMjV5:Pl8/Pdvegg63rgwCKlmLOcjeiH
Static task
static1
Behavioral task
behavioral1
Sample
23c13d6f65cc5d8d2e96dcc5fa900a3eec93838c69ae05dbd46ec450ed2ee530.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
23c13d6f65cc5d8d2e96dcc5fa900a3eec93838c69ae05dbd46ec450ed2ee530.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7144925531:AAFj5KN4HiQlwcqqHICdvh7iOOg5_U7HmZs/
Targets
-
-
Target
23c13d6f65cc5d8d2e96dcc5fa900a3eec93838c69ae05dbd46ec450ed2ee530
-
Size
662KB
-
MD5
97271456981e2f3521ee0473858341e4
-
SHA1
4dc363b11d45dc8b6099f6f3a7ae56ac56d58b3e
-
SHA256
23c13d6f65cc5d8d2e96dcc5fa900a3eec93838c69ae05dbd46ec450ed2ee530
-
SHA512
5377c6cac468e6801f49bd7518c57c21d3c758b08a6a1211abf7865a850e69172a8f464d3b23201fd978e92ddc87eb6b04101755eef76ce9c89d4c5a3bf76d41
-
SSDEEP
12288:2cK1tQNZRAGIzSzGx/zjdveKHg63/DgwynKA6PqdK4Oca6e5sqMjV5:Pl8/Pdvegg63rgwCKlmLOcjeiH
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1