General
-
Target
SecuriteInfo.com.Trojan.Inject4.48217.30341.13985.exe
-
Size
927KB
-
Sample
221206-g8bz4abh84
-
MD5
f41c79d711133f5df0489e2e624ea8a6
-
SHA1
aeca8f699d3363a33fa469244026904008a6adbe
-
SHA256
e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d
-
SHA512
9320154e9927778c97e1e819d1c642e792e70a47439670a7fa86ed913b25da17f68da6733720c09d086a212b186c2c0d2da6eaaac10d15139e06c7788b5f47d7
-
SSDEEP
12288:uc+iCP6hW5EQz8SioOhok4DhArZJ3WOYnjEXcR3k5flwj2bO6jmangKZ/nXt7vie:F+NY4E6VOhwS1GjJ3k5fWySw
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Inject4.48217.30341.13985.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.Inject4.48217.30341.13985.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.deconbrio.com - Port:
21 - Username:
[email protected] - Password:
Aa5nm2gb@kgb.
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.deconbrio.com - Port:
21 - Username:
[email protected] - Password:
Aa5nm2gb@kgb.
Targets
-
-
Target
SecuriteInfo.com.Trojan.Inject4.48217.30341.13985.exe
-
Size
927KB
-
MD5
f41c79d711133f5df0489e2e624ea8a6
-
SHA1
aeca8f699d3363a33fa469244026904008a6adbe
-
SHA256
e0841ea0f3c64de1b5135c69a841cf633fb6c1b34642992cd3474cfe53c81f7d
-
SHA512
9320154e9927778c97e1e819d1c642e792e70a47439670a7fa86ed913b25da17f68da6733720c09d086a212b186c2c0d2da6eaaac10d15139e06c7788b5f47d7
-
SSDEEP
12288:uc+iCP6hW5EQz8SioOhok4DhArZJ3WOYnjEXcR3k5flwj2bO6jmangKZ/nXt7vie:F+NY4E6VOhwS1GjJ3k5fWySw
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-