General
-
Target
335f8da14bfed9aacc1fb101b2ed4706f68757a43900fc6e6cbd34de3510ad49
-
Size
765KB
-
Sample
241120-b6nm8asmfq
-
MD5
412388f943158cab601d20f5e22e4117
-
SHA1
e3a9281a8b0c985086eac09a1ce392512e4f24d6
-
SHA256
335f8da14bfed9aacc1fb101b2ed4706f68757a43900fc6e6cbd34de3510ad49
-
SHA512
8349b36a9689187a89f7bc5c5beb4f783427599e2b69a5cb17de834e3a4ea6770529212a68103312adcf9866625cb77101a6d110c8fe8cd015db20eba3638968
-
SSDEEP
12288:cffiPZuJK08DC2W7glzHM4IbUQ3jPXOsB3XOh+T1b/Sq8uBrzLnAxNxNYp9kaDc/:YiPZuJKw2WUlzNYUQzp38KdSq8uNzLAP
Static task
static1
Behavioral task
behavioral1
Sample
PO IP 24000732.exe
Resource
win7-20241010-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6852245174:AAHgk_9s-tH6YNacTaCnQz56uJMggI0fZDw/
Targets
-
-
Target
PO IP 24000732.exe
-
Size
802KB
-
MD5
e90e11b3f522848cdda6418582a11321
-
SHA1
b8a202c80349905cf1f04c4147d11272e1dd0055
-
SHA256
f64e005b27ee50222b28815ba69baf3ed2d694892de8cd2d81ca98f44852c64f
-
SHA512
e5743364e9dbf3749dbbbf48ab07db3fca86175da5c694b724f72a5799a49f2118a529366bcad7be0435a0ca9e5c0e4b4d13c9bfbcf0cf1ba234e074f6332bd2
-
SSDEEP
24576:HYDo77o5wCastaTRDQs/GR2/hkpthkOI:s9wHs4tEsppkB
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1