General
-
Target
Purchase order 50048205.JPG.lzh
-
Size
594KB
-
Sample
230203-rqp44sff89
-
MD5
cb173dd2b4b01b65f759cbc8b4c3df30
-
SHA1
5f7b30852748dcd8c2549875a750d08e814c11f5
-
SHA256
f7a260beec427f7863a82db269e34d3742a984354bdd9da45b99488f3f9f2c5b
-
SHA512
285800bc92c401bb4193759fd1aa10ccef508c3a81c43c8d85215f398476d3f4605df0af3300d4337ed9808a9b30b57d90b67d690895fc80e7c3dab436ad90d6
-
SSDEEP
12288:vcKbzZgSn9VoB72gyj7VPna3inuvTXNVRiArArJiHsxJxGxz:vcqZxg72gyj7R+qu7dV3RHsxHw
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order 50048205_JPG.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Purchase order 50048205_JPG.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mcmprint.net - Port:
21 - Username:
klogz@mcmprint.net - Password:
l9Hh{#_(0shZ
Targets
-
-
Target
Purchase order 50048205_JPG.exe
-
Size
689KB
-
MD5
ceba3a31aeda8eea8efc26bb787ec690
-
SHA1
b3a8b39e8438984ba680fe597df728940ed09a66
-
SHA256
1430fc7b02d27de2472ec82b085e6c12a1c9a236bf9f10607d39cff2cfcf3406
-
SHA512
139ce4a7e0fc91450beb6ab7a29711081db0e033902b5c385bc6408e65dbbcbd35e0621bdd4c2010ff15e91a818311f314d4f15e8f5d636e9d9994f3922a7e5f
-
SSDEEP
12288:2cMkhWAEQ0J6rpEretKUjQ0kKSMtpSe2Tahcjd/1FhUxsBPGtVppPNF:czQ0J+EreVFkKSekehm/1FuxsetrhX
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-