General
-
Target
SHIPMENT DOCUMENTS.exe
-
Size
875KB
-
Sample
221129-s22sqafc4s
-
MD5
12dc06d3034a17be7a70a4aa45edce8d
-
SHA1
9b68ae25498a12f19360dc0dc023af61ca9bfa9d
-
SHA256
91826efe412b5c829801d1c52fbb43225cf1f0fc4cba201453ad877341c64b90
-
SHA512
49e50afde47577d004322820a4f37de2df21968751d863f312d4653934187c4f42e4ac8eeaa43f67cb73ef10a35f14e3cdec4f710116acaf52114007efd6c4a1
-
SSDEEP
12288:xcn1uQarFr5cE8LHWzVDLIKnnaYz4gIc+zuWl9wzV9av/SEdRMA/LyVu6gt0IPP:xYDvL6+Kn7ZciImV9an9/L1t0In
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT DOCUMENTS.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SHIPMENT DOCUMENTS.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
SHIPMENT DOCUMENTS.exe
-
Size
875KB
-
MD5
12dc06d3034a17be7a70a4aa45edce8d
-
SHA1
9b68ae25498a12f19360dc0dc023af61ca9bfa9d
-
SHA256
91826efe412b5c829801d1c52fbb43225cf1f0fc4cba201453ad877341c64b90
-
SHA512
49e50afde47577d004322820a4f37de2df21968751d863f312d4653934187c4f42e4ac8eeaa43f67cb73ef10a35f14e3cdec4f710116acaf52114007efd6c4a1
-
SSDEEP
12288:xcn1uQarFr5cE8LHWzVDLIKnnaYz4gIc+zuWl9wzV9av/SEdRMA/LyVu6gt0IPP:xYDvL6+Kn7ZciImV9an9/L1t0In
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-