General
-
Target
INV and NOA.exe
-
Size
914KB
-
Sample
221126-cxe56ahh91
-
MD5
eece97d66f499d5bc467b57dc23fd6aa
-
SHA1
cfd55a1a6de54a074c202169e2d1a050727ead6c
-
SHA256
b33ad8c19c7d05ef5e089aee474e1c596787329a41323be0ca7401186402ce22
-
SHA512
ce17d7659d8220ada495ae64e7cf6c63d1f44a462320bab18a50df1009de94e7b9101f54f22ffd4d00788b6a408a189d7c7f54c5c5147abb0e8e7e796fd737e4
-
SSDEEP
24576:36U376CNSebh0qxoRaDXx3CQbk1vYKtSBObztIskFgqIyX:3TXh0q3zxNbcztIObznkVX
Static task
static1
Behavioral task
behavioral1
Sample
INV and NOA.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
INV and NOA.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
[email protected] - Password:
Sksmoke2018# - Email To:
[email protected]
Targets
-
-
Target
INV and NOA.exe
-
Size
914KB
-
MD5
eece97d66f499d5bc467b57dc23fd6aa
-
SHA1
cfd55a1a6de54a074c202169e2d1a050727ead6c
-
SHA256
b33ad8c19c7d05ef5e089aee474e1c596787329a41323be0ca7401186402ce22
-
SHA512
ce17d7659d8220ada495ae64e7cf6c63d1f44a462320bab18a50df1009de94e7b9101f54f22ffd4d00788b6a408a189d7c7f54c5c5147abb0e8e7e796fd737e4
-
SSDEEP
24576:36U376CNSebh0qxoRaDXx3CQbk1vYKtSBObztIskFgqIyX:3TXh0q3zxNbcztIObznkVX
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-