General
-
Target
INVOICE #24560908.zip
-
Size
622KB
-
Sample
221129-qms6xsfc6s
-
MD5
3f7de6ef4246f4814f05e3cf598d67d7
-
SHA1
03cb58fe87f3cddae583402f79f8680bed7e43c6
-
SHA256
faaa6cb489016f708b2b2ddd9dec8af64379858e1024cca2392b16f409e00386
-
SHA512
83cd35d81e80fceee469e5685262ae755e8dd5c06341f7ff527c14bb8fcbeac9f297be555022c013f65b26d25dd2cd736134edaf3759bc774d622854f5791896
-
SSDEEP
12288:N9p6YUAfeB710xKwKks/YZ9mIapoL4wn6O/ceami5desezCDsLKgM:16YUVB7MKw7s/e9vWonoF5dde/+
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE #24560908.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
INVOICE #24560908.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
INVOICE #24560908.exe
-
Size
783KB
-
MD5
effa64d665cc881b80faefb053896c75
-
SHA1
314ae8a3bfbbae37b92ab9c1d4e72a2f3ba77959
-
SHA256
9d6b6913c2b8b1084f4177076c9c2b759ce8a903bc7baf1b1c0ef3bf5635c361
-
SHA512
8edb0d1298146e744847cc4efafcce3da52859b3beef6d8e3ca15049188abab93f1fb7c097cae4515d2faca29662d57fb7c3dbb5a9be8c9fadd89bdb38c15fc7
-
SSDEEP
24576:QivLGVB70aw1s/U97WopiNc9/LkInstI:+VB70aw1u8piN0/LMt
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-