General
-
Target
23052024_1347_22052024_Ach_Payment_Advice01.gz
-
Size
612KB
-
Sample
240523-q3yfksdb8y
-
MD5
adf375448796e4d3f80067a25fe89f46
-
SHA1
cfc575914ca0ebe94abf5d89722f6fbfaa9e1ee9
-
SHA256
c992f916c0381e40b3849ad77534f0bb944e4e42283793fd7ac06e245cd43cef
-
SHA512
e98fa14ef9a55f05bc8f48cab97397d732c12154b12caaef0d8fd0e39d8fff5b22f865eb9f9ade221ac64840011f2bbf2361042be9fbabe2c7f398dd976c3dc3
-
SSDEEP
12288:RJCt63Yngjh38jpvNO1ShvoOJ/gf5jb0qy3QQ5tcGgU0fOYeWiKp6cgxA:G63cihMpFutYjtPEU0m3KIcH
Static task
static1
Behavioral task
behavioral1
Sample
Ach_Payment_Advice01.exe
Resource
win7-20240220-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7116470912:AAFcUeHH1656vYbBtccMjQVal4iMak99ZmA/
Targets
-
-
Target
Ach_Payment_Advice01.exe
-
Size
689KB
-
MD5
eeb0a5f2f2e765bbe937e595ddd0650a
-
SHA1
2a5127e5fdf921547b4ec39e964682469573e1f6
-
SHA256
2869686380724afd713bbefc58c9aceabd90692e27d9de7af96e748b3066d8e9
-
SHA512
46f36ddb5d6dc37ac4d1d0388c87971933e8f8fae7de89d54483b5a900365c786b859b9b7fbd7f721a03ac03025ce800f5ee3ebcb67aa22442d8df1853456ee8
-
SSDEEP
12288:c5h2Xp96Wtlc5ingN/JuXdH7O18x3UObHgf5jFuq4XQM5taSw40fgYYMiwp68kxU:c5UXfvtlc5yC/adbChYjl9c40oRwI81
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Virtualization/Sandbox Evasion
2