General
-
Target
5190672.zip
-
Size
543KB
-
Sample
230330-ngpv7sdh4x
-
MD5
5b207618d49abfd8b2d432706f8ebc2c
-
SHA1
90f74fd3d21a9f09aeb3116dbfc97cd49264686d
-
SHA256
9711294918a8cc2e424c2bd81b3c81b8f8d939e1c761588399c9fcde7a2d0ec3
-
SHA512
4026bd0a86d3204ca68089d6901c20d30fd2a31277a7a0ef8ec9045f77ee85a3583b3f598d8a1d57ed1d948aa98633fc7b5c5d3d2a8a9ad527d242415c0acf40
-
SSDEEP
12288:9/qM4kM4bFhqvxlknCIdkSkpD6a5Csr9YwaM8UaHEKrgEuJsz1rwrMYdFgymR:5lM4bFcknCIdk35CcYwanvr+JrJdFgyi
Static task
static1
Behavioral task
behavioral1
Sample
5190672.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5190672.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
sales@asiaparadisehotel.com - Password:
06bietthunhatrang - Email To:
officestore2022@gmail.com
Targets
-
-
Target
5190672.exe
-
Size
658KB
-
MD5
131fc2043b4c740cb1a3bd4a8398a780
-
SHA1
041be9bfdbed62d56906f5fe2ebdad0f1f7037d5
-
SHA256
191529d733524665838e0d27b44844ca0a3c914d8577d4f2d8c8b93ea4a7729a
-
SHA512
e2f5bd59a57b4a47756643e8395d9b8bdf2d1b02e3f4eb20409195027d7921e7614153b93efda90daa00e31cfd72f4f1e26774121d90b3995e681463c69af31c
-
SSDEEP
12288:74DM4ky4LFhqvVeACFUYvHoIlC/BEzOCHHwaMgUa3EKrgXcsznauIimOMt+k:7Zy4LFyefHNlw+zOCnwapHrcPnbIimX
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-