General
-
Target
6AE7B9957A07BB74DB7765FD6C639A3C8AA42EC451E80B2D7CAF391F92E24A7F
-
Size
638KB
-
Sample
221123-r1r2fsaa55
-
MD5
1f3b735fee13705c4368288b7ff93ffa
-
SHA1
e5c36590bb257017323b9aa18632c692595f0c36
-
SHA256
6ae7b9957a07bb74db7765fd6c639a3c8aa42ec451e80b2d7caf391f92e24a7f
-
SHA512
b5eb06f7842a7e903ec9a1e822a97691a6b1638bb73aa760ae3180685180f11e39abb086a49de683c19d91c709b2cd137b884c9a05af213a1b68ee36a915ffd5
-
SSDEEP
12288:2z9jrR/Gz6BYZi4jIU8t4VHWrkOvQYGjGgIa+3FNoBTz:alrPYZsU80m5qjRIa+wTz
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Orders.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Purchase Orders.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.abaexlogistics.com - Port:
587 - Username:
[email protected] - Password:
Op3r@2021! - Email To:
[email protected]
Targets
-
-
Target
Purchase Orders.exe
-
Size
835KB
-
MD5
986d201be0de714e6e89fdb89af8f172
-
SHA1
95f4ffc07db4709c9d148273320cee228fbf088a
-
SHA256
968be89e91c52db13b473bf5894e1b11de82551176fff293d752e388f7e83175
-
SHA512
e6899b74da72a831f6f9a72e3b489f5b121c85590f73d1cc5112d34256161c3be208bc7d68a900e853365561c3bcbdc2d367b1b8231735ef107920701b14a33b
-
SSDEEP
12288:IWuFITqcSpFKgLIvGTU5YakRORcm4Y2JGAfmjobA2r:MFnc4FtLIKakRDVhug
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-