General
-
Target
tmp4vvsfrfw
-
Size
3.2MB
-
Sample
240429-ray23scf7v
-
MD5
b3cdc9e5d148f28c40fcb727100aab8c
-
SHA1
3361179695c8ffa760a1607339c8cd4b1e1b9780
-
SHA256
98be3ef42a4bbf286fb1be8b0837a24704f87f2d2ae3e84f380479c08d600b81
-
SHA512
ae57d3bd52c5ba642ce890ca715143e08f9aedc1ae28f67efa82d7a0d545c7f2bca61529fe66a45e5f1a72347ed169cba1718639a6768452bc1a7b9c6c77c5e7
-
SSDEEP
49152:fzBfc7Dk8mQmKHGcfDVu5Pc09JJtKzh8CLCs1+s2aGhfUo5S3I628:fzu1vMPKPLoT98I6L
Static task
static1
Behavioral task
behavioral1
Sample
tmp4vvsfrfw.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp4vvsfrfw.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6902894171:AAF7F2wI9rfwYzH0AbQJ7rRjfVP2yL6ehww/
Targets
-
-
Target
tmp4vvsfrfw
-
Size
3.2MB
-
MD5
b3cdc9e5d148f28c40fcb727100aab8c
-
SHA1
3361179695c8ffa760a1607339c8cd4b1e1b9780
-
SHA256
98be3ef42a4bbf286fb1be8b0837a24704f87f2d2ae3e84f380479c08d600b81
-
SHA512
ae57d3bd52c5ba642ce890ca715143e08f9aedc1ae28f67efa82d7a0d545c7f2bca61529fe66a45e5f1a72347ed169cba1718639a6768452bc1a7b9c6c77c5e7
-
SSDEEP
49152:fzBfc7Dk8mQmKHGcfDVu5Pc09JJtKzh8CLCs1+s2aGhfUo5S3I628:fzu1vMPKPLoT98I6L
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1