General
-
Target
20e17f5f5b13e91bc4e89d33704009fe6126d7a09da43365dfd264351fb2b65b
-
Size
388KB
-
Sample
220521-bb4e7abff4
-
MD5
9c364d11306c1e302ee454f7ddcb4173
-
SHA1
ca9111a8d5d82a4f782e7d46b265e5b2e029ef2f
-
SHA256
20e17f5f5b13e91bc4e89d33704009fe6126d7a09da43365dfd264351fb2b65b
-
SHA512
1f0d8d9734c6debcb0ba838e85de666fc1b3ea7a2189204f134d93ad69576f94913b0a4e030d4ff7f8d4825cb1940e7fa129ab4b3bc3404ceece2d6bd7d28f5a
Static task
static1
Behavioral task
behavioral1
Sample
INV01.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
INV01.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.nedtek.com.au/ - Port:
21 - Username:
[email protected] - Password:
philomina1234567890
Protocol: ftp- Host:
ftp://ftp.nedtek.com.au/ - Port:
21 - Username:
[email protected] - Password:
philomina1234567890
Extracted
Protocol: ftp- Host:
ftp.nedtek.com.au - Port:
21 - Username:
[email protected] - Password:
philomina1234567890
Targets
-
-
Target
INV01.exe
-
Size
440KB
-
MD5
b9743458d1fc6404f135ad3316f174b9
-
SHA1
1df0673acc0e37439031915478b2ae8817fbd478
-
SHA256
d31acad1f441efed4a4cef4782ff79cce51d37a1e78b8a9af72c484326e5fd01
-
SHA512
71b07f3b916cb60a4f7186420e1daa42616f2bc1e60679ed00d53e832dbc23d5b2b12ec9c96d894269fe366223855d656c240c0093d8a27e98f16fd49f307889
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-