General
-
Target
317fec4108f6d85caa5c1589b983a87dc665140390975d2f96e54a8ab1ab2d34
-
Size
1.1MB
-
Sample
220221-226akscebp
-
MD5
56c9727d6d4e0af73218e73f62677000
-
SHA1
f4fc7ef9f53faf32cafb002f34ede7078175e6e9
-
SHA256
317fec4108f6d85caa5c1589b983a87dc665140390975d2f96e54a8ab1ab2d34
-
SHA512
ed26c12c583ba02ee32b542ff815841b813b0d8149eb010ef3671d02476f77608fa394fa60f8e0d4576a18f9c772fba48a471625026b2001453a8057d1cbd95d
Static task
static1
Behavioral task
behavioral1
Sample
000000090000-0990.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
000000090000-0990.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Extracted
snakekeylogger
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Extracted
matiex
Protocol: smtp- Host:
srvc13.turhost.com - Port:
587 - Username:
[email protected] - Password:
italik2015
Targets
-
-
Target
000000090000-0990.exe
-
Size
1.5MB
-
MD5
dca3732857d10782f68df4c3e1b757a9
-
SHA1
95a0c95fee10a8e37fb0bcabff6e4b10924285d2
-
SHA256
c62943499b7fed80bf4e37ab525b622ef4fb7cc6b82ddb7b8d6fe75dabcaf363
-
SHA512
5ada13a7e67d59e38d57fccddac36cad71d2ccfff45945cc1274d310ecf4a79f756e865526a1d9d672d6200d0ae4215e5b7754b0b29e88debb5f9db873154ea0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Matiex Main Payload
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-