General
-
Target
INV-117624 LPO-3642.zip
-
Size
543KB
-
Sample
221125-hdggrsca8z
-
MD5
b2aadf4b50e1db2e775fbc3630468087
-
SHA1
e3b11d0512ee119928e127a71fa2eadcc0f225b5
-
SHA256
cfae17dbafecd66a9b4404679670674dc101aa23691a6b54c4e59d937a8bdb84
-
SHA512
4d22315a5751c40f43d123d9fa4b0c4b902341a84fd51d27c7af5d778cc8013500eb2020040a71df3eac4759caeb8fa67df3849e676201906352aca8d925fe09
-
SSDEEP
12288:1Td0mBeouIVkCla2mFx+6ZW+rVRSmMywOQk77AsWCFrZO8r55U9sm07BeVu:FOmBeoICr8x+qPvhksRxZJbU9sm07EQ
Static task
static1
Behavioral task
behavioral1
Sample
INV-117624 LPO-3642.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INV-117624 LPO-3642.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.strictfacilityservices.com - Port:
587 - Username:
[email protected] - Password:
SFS!@#321 - Email To:
[email protected]
Targets
-
-
Target
INV-117624 LPO-3642.exe
-
Size
651KB
-
MD5
505852f2cd67a14131d2d6e927d92889
-
SHA1
a7062897a84533c30705eb6667d352c78a43b9f6
-
SHA256
8e6fe812e3f4a19a51a0978e9c47e2cdb891f1feecb0a7ae2c1eff744c971371
-
SHA512
49709821545b0fb4e7c12ebee2382258def6f5ad9025c91d1ce28bd02b961d8f7c0aed47d2d1a866d5636643d9f13e5a561c872e06e758af2f2f148180bd7585
-
SSDEEP
12288:sFTYIvM3zrbETClyHskFgFwIyXCDmVRSmMSwOQkL7AiGSdrZOOP55U9smC7B4s:6dU376CoskFgqIyXxv/kiPpZFbU9smCr
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-