General
-
Target
INV-00241.exe
-
Size
654KB
-
Sample
221206-l8g9bsbf3z
-
MD5
4b9d7b1ea4b94c7b9a9c8a7d85578c9d
-
SHA1
bd580c3c037c244c4c5b820dbb017e14b032b4ec
-
SHA256
3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
-
SHA512
b3ead2fbf3b0e408c0cd2dcc4738c84967321a7c7fe0d673ed7df5400387084f627b8ee7ad6075cff6d1f2f6127d4c85ea9797f12ddf5ab4948fedec82752119
-
SSDEEP
6144:7BnJ+58yUPAQVBXw5EPSzoBoe2ZP7e4VimiMxu2Kd4Dic8caelU:D+9UPAuA51s2zMcBjxRKrczaL
Static task
static1
Behavioral task
behavioral1
Sample
INV-00241.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
INV-00241.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.crownoffice.xyz - Port:
587 - Username:
[email protected] - Password:
GRACEoverflow123@
Targets
-
-
Target
INV-00241.exe
-
Size
654KB
-
MD5
4b9d7b1ea4b94c7b9a9c8a7d85578c9d
-
SHA1
bd580c3c037c244c4c5b820dbb017e14b032b4ec
-
SHA256
3e8e2a2868f0e729a298541b51105ca23c60b0ffaa2c7b7c89e8a1edc0b2eab7
-
SHA512
b3ead2fbf3b0e408c0cd2dcc4738c84967321a7c7fe0d673ed7df5400387084f627b8ee7ad6075cff6d1f2f6127d4c85ea9797f12ddf5ab4948fedec82752119
-
SSDEEP
6144:7BnJ+58yUPAQVBXw5EPSzoBoe2ZP7e4VimiMxu2Kd4Dic8caelU:D+9UPAuA51s2zMcBjxRKrczaL
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-