General
-
Target
inq 0394511.JPG_1.gz
-
Size
384KB
-
Sample
230124-sdwa2adg7z
-
MD5
305f4e6b7bf4044999f01bf342ce9cfe
-
SHA1
57034875f481d96bd10eba24bf21184eff7986da
-
SHA256
9df038ece0eee04130e70e602d554e2311a75e465b1086a5f18084a5baf5673e
-
SHA512
7a88e3b214c05e6ee7134ad625850fdf089fbd57780a80fb01d08370841263ed9bd6f257034817e257b1e506d47367412afe797bb13959d8f4a827194230fe5c
-
SSDEEP
12288:KvOtvtn+tLIAfLjl5TQRhFYBeXc9eBBDORW9OSMAr:Kmt1n+zLh5TMueDlObe
Static task
static1
Behavioral task
behavioral1
Sample
inq 0394511 JPG.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
inq 0394511 JPG.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mcmprint.net - Port:
21 - Username:
klogz@mcmprint.net - Password:
l9Hh{#_(0shZ
Targets
-
-
Target
inq 0394511 JPG.exe
-
Size
675KB
-
MD5
400280e91cfa2e715bde02ee36eb515b
-
SHA1
79c1eb7fa28613739971d8fd6f1519e76ce9a2d8
-
SHA256
de0f7866ed19406786d7ae192890e20b2a105f5cb00fbd1ba5e5f5aef9184a73
-
SHA512
746ced23c21ab0ab7492e97708bbd39a816860c8951287cfe559817c9f66164f5dcaf33f90cf9dc89c03f7d0a342f3bfed27ed89a844e8c010ffbb469b396ce2
-
SSDEEP
12288:ekvld8NVtfk9jx5jQDhFGdGXcBeBtDmRW7OYM:eeHiM9l5jgwMDLOx
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-