General
-
Target
d2cc943e7fd101b57f31be4dc6241fd6ebb7639f392d2141dd51df96a70b8b5c
-
Size
1.1MB
-
Sample
240425-d6gwsaeg7s
-
MD5
890ad98d344fe4c853ad4ff8dc6f322f
-
SHA1
9163024beb863ca21b3f2503c702a3b68dccb3f2
-
SHA256
d2cc943e7fd101b57f31be4dc6241fd6ebb7639f392d2141dd51df96a70b8b5c
-
SHA512
e096327a94b4993dbba06cb0f40d1a2a863d2adbd8a4901b6fdaf7326ec4eb0693fe082931e6f32412f736ece154a91b4dc6cce397139600010b903a2ac65cb1
-
SSDEEP
24576:U0QxAr0u9lvY86I7SdsVmtTpu3g7dcDz6NykYYPvlgaE:Ukr0u9lvY8r2+ItTpu3g7dcvuPvlgh
Static task
static1
Behavioral task
behavioral1
Sample
d2cc943e7fd101b57f31be4dc6241fd6ebb7639f392d2141dd51df96a70b8b5c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d2cc943e7fd101b57f31be4dc6241fd6ebb7639f392d2141dd51df96a70b8b5c.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7153849678:AAHZ86-INh3Tdo6wZQNFtoJXmAuQIxKFYsc/
Targets
-
-
Target
d2cc943e7fd101b57f31be4dc6241fd6ebb7639f392d2141dd51df96a70b8b5c
-
Size
1.1MB
-
MD5
890ad98d344fe4c853ad4ff8dc6f322f
-
SHA1
9163024beb863ca21b3f2503c702a3b68dccb3f2
-
SHA256
d2cc943e7fd101b57f31be4dc6241fd6ebb7639f392d2141dd51df96a70b8b5c
-
SHA512
e096327a94b4993dbba06cb0f40d1a2a863d2adbd8a4901b6fdaf7326ec4eb0693fe082931e6f32412f736ece154a91b4dc6cce397139600010b903a2ac65cb1
-
SSDEEP
24576:U0QxAr0u9lvY86I7SdsVmtTpu3g7dcDz6NykYYPvlgaE:Ukr0u9lvY8r2+ItTpu3g7dcvuPvlgh
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1