General
-
Target
Quotation.zip
-
Size
627KB
-
Sample
221129-qmtgpafc6w
-
MD5
18318c04969b8093805c786ba7bb7b59
-
SHA1
feda3798b7113c365bd3a3d970987fd559092bd2
-
SHA256
40a749e596b281d72c57c18bf5d389d128e47c153244a7c8683d051214ac52b0
-
SHA512
703b4bd9767d47cf4fce719ecfe5cc066c0425a76b0fe5c1647fb241c187d74558db444a915839ad6422c76e655566825e28fdb080457ba4b0d90225f4dd97d8
-
SSDEEP
12288:aXFuld2ZE+5+2Ga3eL+605H0U6TNDrUwStW5TCvS+/giRHWUy2r:aXFod2ZD5+za3m0W7TxovMpCvh/9JT
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.strictfacilityservices.com - Port:
587 - Username:
[email protected] - Password:
SFS!@#321 - Email To:
[email protected]
Targets
-
-
Target
Quotation.exe
-
Size
789KB
-
MD5
72c17e8d702de79f794fe16787a61098
-
SHA1
18f51344f688db3979c55a6322f013269b4c308d
-
SHA256
4513951a7d2bdb62b062c790f0c259d9f5854497b6e5e8ed0369d22197d1e856
-
SHA512
09ca148f810649989cb89507848de48d55738f79bc301e4a7c8b2f3b52bc231b59aa79c15be126eb7c41a2d8801279792eb21a262b45e0503a8c93eca26fec43
-
SSDEEP
12288:OKdsCbFr5cE8LHWy/SEdRMA/LyzIPPPu6gtFNDzUwSzWbTgvS6/IiTHWcb:7ovLB9/LkInstFxQvCngv5/1db
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-