General
-
Target
toldkammer.exe
-
Size
631KB
-
Sample
230328-prbxrsba47
-
MD5
e0656d3b5ff789851c5beaefe5948600
-
SHA1
04e791f6b5ca48881ae26dd8be55ce6d23b2b17b
-
SHA256
ed5a4b555700f4831a059d203d7027bc6a36ad03347d23fffd6ad3738635b2ff
-
SHA512
dfd8e200b813d54cec79d3aa358df5b09b439fba0f9b799b3c2b3fb0a3c3c809e192c5b1f0c6fd3de663d82baa7d334e3029bb1e02f6b12243cd069f456d2f96
-
SSDEEP
12288:vrAER6R6hCGsIQUhoxUZ3id6t+9NJfE4foWRN9rkWrH3TqdCo:vrAERzhRaI6JMm71zriP
Static task
static1
Behavioral task
behavioral1
Sample
toldkammer.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
toldkammer.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.copychamo.com - Port:
587 - Username:
moncada@copychamo.com - Password:
Iu!&}hG}8u#3 - Email To:
grupohugovalero@gmail.com
Targets
-
-
Target
toldkammer.exe
-
Size
631KB
-
MD5
e0656d3b5ff789851c5beaefe5948600
-
SHA1
04e791f6b5ca48881ae26dd8be55ce6d23b2b17b
-
SHA256
ed5a4b555700f4831a059d203d7027bc6a36ad03347d23fffd6ad3738635b2ff
-
SHA512
dfd8e200b813d54cec79d3aa358df5b09b439fba0f9b799b3c2b3fb0a3c3c809e192c5b1f0c6fd3de663d82baa7d334e3029bb1e02f6b12243cd069f456d2f96
-
SSDEEP
12288:vrAER6R6hCGsIQUhoxUZ3id6t+9NJfE4foWRN9rkWrH3TqdCo:vrAERzhRaI6JMm71zriP
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-