General
-
Target
CI-OMG200602.exe
-
Size
375KB
-
Sample
221231-dvra3scc8z
-
MD5
485240e3236bb5fb9f4592684b9f912e
-
SHA1
cdff2f67dff804cdccbda85a667847009c9c52c6
-
SHA256
fe9186c1d8ba97ae6f65152b962c365f55739d010e444e03364a26e4e6009bf2
-
SHA512
5c68d7f9c78adb34bd5e3b7767dfe9c5dcad9c23e402d35ced6e13bfadc7791549ff00f855fa2b92d002aeafdc8ccb4c1d015f6f91b105a404b17c51411fee45
-
SSDEEP
6144:Q4t6LsOB/OKpXK7tP2yFVV12wf69+7vWK8LEPdukN/7bon4KwHkfgtss0CNIyOFZ:QkOB/OKYO+fUYvWbEP7hbon43Hkfgts/
Static task
static1
Behavioral task
behavioral1
Sample
CI-OMG200602.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
CI-OMG200602.exe
Resource
win10v2004-20221111-en
Malware Config
Targets
-
-
Target
CI-OMG200602.exe
-
Size
375KB
-
MD5
485240e3236bb5fb9f4592684b9f912e
-
SHA1
cdff2f67dff804cdccbda85a667847009c9c52c6
-
SHA256
fe9186c1d8ba97ae6f65152b962c365f55739d010e444e03364a26e4e6009bf2
-
SHA512
5c68d7f9c78adb34bd5e3b7767dfe9c5dcad9c23e402d35ced6e13bfadc7791549ff00f855fa2b92d002aeafdc8ccb4c1d015f6f91b105a404b17c51411fee45
-
SSDEEP
6144:Q4t6LsOB/OKpXK7tP2yFVV12wf69+7vWK8LEPdukN/7bon4KwHkfgtss0CNIyOFZ:QkOB/OKYO+fUYvWbEP7hbon43Hkfgts/
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-