General
-
Target
FW_ POSSIBLE FRAUD_ Purchase Order No. BCM190282_Project 2023-01-23T09_54_31+08_00.eml
-
Size
676KB
-
Sample
230123-cyn5fsbe76
-
MD5
879cb17ef57ef0ebdca7b654f821a966
-
SHA1
695f355f072a4638575524c22908a3d81f488899
-
SHA256
3059d397df293d2e922f386abaf6cb264005b41274e33fd5b2d909407d6db256
-
SHA512
70e95c18ec8eb157cd99c196e8f5a8a0d8f48cb2aadc31bfb2249a580d240f8cb731f42d180afef2a595ac19ce24b7e746f4077c563a5656f7d4fe6a5fb3e9df
-
SSDEEP
12288:tFZrCIlsx7aQSMBrRzaIBzBeudEd9fjeBEPW/tNQsbFkspBzj6MD+tk2j:HMGW7apGrnBeudEME+/THpl+tkA
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order No. BCM190282Project.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Purchase Order No. BCM190282Project.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
Protocol: smtp- Host:
Smtp.ionos.es - Port:
587 - Username:
mgonzalez@inkor.es - Password:
Random1@@##
Extracted
agenttesla
Protocol: smtp- Host:
Smtp.ionos.es - Port:
587 - Username:
mgonzalez@inkor.es - Password:
Random1@@## - Email To:
fresh.italian@yandex.com
Targets
-
-
Target
Purchase Order No. BCM190282Project.exe
-
Size
552KB
-
MD5
085621949a07bb1b819fe5c6894e7381
-
SHA1
01137a34ab984239fc8517dd79635aaabbfa27b2
-
SHA256
e183f9caf4ab50798816cb2619cbae642d0952df6cf0820524ef2ca631728b3d
-
SHA512
2c622c8b1d5d22957bd03be3fd3271c3eb592aff40b7ef5bbe47cfd484f5305e8aab907befdf5a356200f69bfd887843abb3d94a5c00668601f4b9782ab0ad96
-
SSDEEP
6144:SDgK3Jc/yQeIBLXKvZm5BnZhFY+X550ykb6w5jZSZFMIWJaO74kr2BMRIbhQFu+K:0d5c66BLX/PZjpQNCAaOEkuTEo3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-