General
-
Target
Aperistalsis.exe
-
Size
632KB
-
Sample
230327-pzmdgadd94
-
MD5
613c37b75995fde9ae189d6abd621bb7
-
SHA1
712cb0725f81257bb1b7d132487dc1a21b7e6e41
-
SHA256
2f9f913f5802b9bda523ef9975a5d9cc478a8cda4720727beab9a6bd3cd1c91f
-
SHA512
1c36015f2f3a8178cdf32f6d90e3cecfa600c7bf2456faf3f6496180ff98237581d91888cd6ca98fbef8fb3821f8787a30d7f4b8bdf80063d5936e980e9a176a
-
SSDEEP
12288:arAERjMZ+P/SdJBFrbsYiLaIWF3POv/rQiD2nNoUnn6JzLJ4QNO:arAE++iUaJFGHcFNoUn6jdk
Static task
static1
Behavioral task
behavioral1
Sample
Aperistalsis.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Aperistalsis.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.copychamo.com - Port:
587 - Username:
moncada@copychamo.com - Password:
Iu!&}hG}8u#3 - Email To:
grupohugovalero@gmail.com
Targets
-
-
Target
Aperistalsis.exe
-
Size
632KB
-
MD5
613c37b75995fde9ae189d6abd621bb7
-
SHA1
712cb0725f81257bb1b7d132487dc1a21b7e6e41
-
SHA256
2f9f913f5802b9bda523ef9975a5d9cc478a8cda4720727beab9a6bd3cd1c91f
-
SHA512
1c36015f2f3a8178cdf32f6d90e3cecfa600c7bf2456faf3f6496180ff98237581d91888cd6ca98fbef8fb3821f8787a30d7f4b8bdf80063d5936e980e9a176a
-
SSDEEP
12288:arAERjMZ+P/SdJBFrbsYiLaIWF3POv/rQiD2nNoUnn6JzLJ4QNO:arAE++iUaJFGHcFNoUn6jdk
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-