General
-
Target
2A013945C03285FA0AA02F04A9E7557DF761A75BDD39B22CBF682721192D8BCC
-
Size
525KB
-
Sample
221123-r2gl4sda91
-
MD5
89658ee8fbac7a084a59bf030e0098bd
-
SHA1
effee1f0cf2344cac89f67b6f59b4147d342cf42
-
SHA256
2a013945c03285fa0aa02f04a9e7557df761a75bdd39b22cbf682721192d8bcc
-
SHA512
179f28c29ad95ec62cd8d3384541843586189c97b67fdcab445ba95f9671b7a90326a63fa07f37246f43afac19dd4d429a2d03c351ac6098bfa28fd882520d17
-
SSDEEP
12288:Wx8F5sEtZRgwhUIJQbikNeJU5GBUX+X7DIryrFUA:WxMzZRg1bLeJafuXNrFX
Static task
static1
Behavioral task
behavioral1
Sample
FA369852.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FA369852.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://192.3.223.202 - Port:
21 - Username:
ftplogs - Password:
sPkZ7jK7P6aA
Targets
-
-
Target
FA369852.exe
-
Size
753KB
-
MD5
fe95779f01c2cf063ca96f9227c079c7
-
SHA1
3ed0e9d3472f191d2aace68d6c0f75149228ff3b
-
SHA256
6497c358f05eae2afbb8535f92a187cb27293fb583017c19bd495f838d7b2d26
-
SHA512
dff6c1baf63d3a180d60c0dfc22619b31dc884f4a9a88d501041d92f6b65794f478fb432452f8064264f9a8f73cbebe257c9d65c3e08f62c3b9d3b734f7e6479
-
SSDEEP
12288:gigDGkBZwgwhUpJQN1kw9zb5GB4XXo713JEI5M/:I3BZwg0Nx9z1LHo8
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-