General
-
Target
ADCO RFQ 007443111409.exe
-
Size
676KB
-
Sample
230330-khk2vsbg62
-
MD5
eb61f0650317529d7fb28c9d839d3612
-
SHA1
d26c96468c322b0148384ed7674eb44abbfa4607
-
SHA256
234cadb13e56e3214f609a0f493f2474e452cdfd3bb3e322e8cce51219032d03
-
SHA512
78344e8d2113bf322cad9757a7ed3b5e3e00481fb4539feeba6c3b2893b8c3cddcf4d015303eee995e187507fc78d1541647f933bd107d567d7d08fa72ba255e
-
SSDEEP
12288:RXbA6dvFFBKa7ofHS2A168u36ijLH8aM9Wav3yrtkfCmNkt9oiZVebjwQ/SAKIxU:RHvFFMaiHSTm6ijgrWavyOqmNkbdfmUx
Static task
static1
Behavioral task
behavioral1
Sample
ADCO RFQ 007443111409.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ADCO RFQ 007443111409.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.primevisionuae.com - Port:
587 - Username:
[email protected] - Password:
Pr1mevision - Email To:
[email protected]
Targets
-
-
Target
ADCO RFQ 007443111409.exe
-
Size
676KB
-
MD5
eb61f0650317529d7fb28c9d839d3612
-
SHA1
d26c96468c322b0148384ed7674eb44abbfa4607
-
SHA256
234cadb13e56e3214f609a0f493f2474e452cdfd3bb3e322e8cce51219032d03
-
SHA512
78344e8d2113bf322cad9757a7ed3b5e3e00481fb4539feeba6c3b2893b8c3cddcf4d015303eee995e187507fc78d1541647f933bd107d567d7d08fa72ba255e
-
SSDEEP
12288:RXbA6dvFFBKa7ofHS2A168u36ijLH8aM9Wav3yrtkfCmNkt9oiZVebjwQ/SAKIxU:RHvFFMaiHSTm6ijgrWavyOqmNkbdfmUx
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-