General
-
Target
INV and NOA.zip
-
Size
823KB
-
Sample
221128-hqx1aade55
-
MD5
ca0f9852bb5acec3555343411bffc674
-
SHA1
58d115308633d00fe7650fc967d15b2f90bd0c3c
-
SHA256
8f5b224a8a1dabf0544800d7667a3aa5fc0e2d65c580f047a496f349cfcf332b
-
SHA512
bb489611d5a759add4a35e9070d64605c440dd907f1a710408b85e89665605a30a75333a32e50a0d1f0b357f8730687048d705ebd81b8a4ad00cde5ad33254f9
-
SSDEEP
24576:ZKMBKv5UL/06xoRaD1T3CQb2VvYkrSBebTbHf4OA1:ZKMkK/063ZTNbQ9rIebTjfNM
Static task
static1
Behavioral task
behavioral1
Sample
INV and NOA.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
INV and NOA.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
[email protected] - Password:
Sksmoke2018# - Email To:
[email protected]
Targets
-
-
Target
INV and NOA.exe
-
Size
914KB
-
MD5
eece97d66f499d5bc467b57dc23fd6aa
-
SHA1
cfd55a1a6de54a074c202169e2d1a050727ead6c
-
SHA256
b33ad8c19c7d05ef5e089aee474e1c596787329a41323be0ca7401186402ce22
-
SHA512
ce17d7659d8220ada495ae64e7cf6c63d1f44a462320bab18a50df1009de94e7b9101f54f22ffd4d00788b6a408a189d7c7f54c5c5147abb0e8e7e796fd737e4
-
SSDEEP
24576:36U376CNSebh0qxoRaDXx3CQbk1vYKtSBObztIskFgqIyX:3TXh0q3zxNbcztIObznkVX
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-