General
-
Target
bea5fae45c6c06e4c4b4dc55d41b710737ddf8031d4d1a16f7e6341b6e8b144a
-
Size
398KB
-
Sample
220520-3wnc9acebk
-
MD5
b7dfaa686f7ea2eecaf54e4c23c0efbb
-
SHA1
468c29f91b1fca90cf5fa61125568596a7be57f9
-
SHA256
bea5fae45c6c06e4c4b4dc55d41b710737ddf8031d4d1a16f7e6341b6e8b144a
-
SHA512
983face516f7872dfec894bdfd6cbe31975855567caddea61262ef15bcabb72625b85d10d2a8263cf7d2623fcbc8a11aaf8077eeebc378aca82a3f7ca813c789
Static task
static1
Behavioral task
behavioral1
Sample
wire transfer usd 44.151.83.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
wire transfer usd 44.151.83.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pkfpmes.co.ke - Port:
587 - Username:
[email protected] - Password:
}79ngu!.Bzo7
Extracted
Protocol: smtp- Host:
mail.pkfpmes.co.ke - Port:
587 - Username:
[email protected] - Password:
}79ngu!.Bzo7
Targets
-
-
Target
wire transfer usd 44.151.83.exe
-
Size
440KB
-
MD5
541c601ab569bca662977c4c84cc3e95
-
SHA1
d5b78f7151ce9b44c88d35e2b79fab7bfaaf4d0e
-
SHA256
8a8b7097241b3eb6527c9f7ef529eb5897a5555762d7f7123db2c0395d243054
-
SHA512
6942feb0d134bef45c2405b27f339fadfd00eab7d6039d3b8b41667cad03e5e32383010498d7c3e7f75a3ce4856ddded6ead3e37d69c0ab77c9636b377c60768
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-