General
-
Target
6ddc85bbc79994142576b50229c7d8e9180d997ed1dcee4b4b2b836f5c3c502d
-
Size
13KB
-
Sample
240430-b46q1sgf82
-
MD5
5a91af948082dc50c884f28af34197d6
-
SHA1
151d368769139f62bd9c7ca092b0c00640b6fba3
-
SHA256
6ddc85bbc79994142576b50229c7d8e9180d997ed1dcee4b4b2b836f5c3c502d
-
SHA512
db3cb448012c426fffbded2c8d64f07bf7e7fedca7ce2f052543bc870e3685983b07a2b37edd5ba4124a9ef1edb57d2943e5ee29373b73eb92e26a04a4f68126
-
SSDEEP
384:yBIxNnVyifSfAjLmsnkd+m4yGt6U3jLxCH+0iRUrVpPgRZVNlb0oSXoj4:ZVfqYjLFkgHyGAU3jLxJ3cVUvQbXR
Static task
static1
Behavioral task
behavioral1
Sample
6ddc85bbc79994142576b50229c7d8e9180d997ed1dcee4b4b2b836f5c3c502d.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
6ddc85bbc79994142576b50229c7d8e9180d997ed1dcee4b4b2b836f5c3c502d.vbs
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7109324415:AAEtV_HPY0H5mFN38xCDvDx9wl-kKb9q3qg/
Targets
-
-
Target
6ddc85bbc79994142576b50229c7d8e9180d997ed1dcee4b4b2b836f5c3c502d
-
Size
13KB
-
MD5
5a91af948082dc50c884f28af34197d6
-
SHA1
151d368769139f62bd9c7ca092b0c00640b6fba3
-
SHA256
6ddc85bbc79994142576b50229c7d8e9180d997ed1dcee4b4b2b836f5c3c502d
-
SHA512
db3cb448012c426fffbded2c8d64f07bf7e7fedca7ce2f052543bc870e3685983b07a2b37edd5ba4124a9ef1edb57d2943e5ee29373b73eb92e26a04a4f68126
-
SSDEEP
384:yBIxNnVyifSfAjLmsnkd+m4yGt6U3jLxCH+0iRUrVpPgRZVNlb0oSXoj4:ZVfqYjLFkgHyGAU3jLxJ3cVUvQbXR
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-