General
-
Target
RFQ U75553389.exe
-
Size
425KB
-
Sample
230330-p33jvscf89
-
MD5
849c169c3d155741b67917f0d2fc1b42
-
SHA1
65564cc1e52e5ea21a58c2d58f783917194ffce6
-
SHA256
2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
-
SHA512
52452aaedf176aaf4ce5e128a64dcf53d3c1fff31e472d6aab46f89ce79936a9a7bd840457687ab874ef1a954bfa912da6f8f4baa1499ea46dd7a77c6b5efdd1
-
SSDEEP
6144:mT4DtVDc8/gxCuWcoa4fuY9nNk7Us/MwIUvsu/w04rpsXesv/apx/c6v3suc9S+c:mTuStPuNkb/jVV4r+XlvS7x/suc0Gs5n
Static task
static1
Behavioral task
behavioral1
Sample
RFQ U75553389.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RFQ U75553389.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.primevisionuae.com - Port:
587 - Username:
manpreet@primevisionuae.com - Password:
Pr1mevision - Email To:
kalidot@yandex.com
Extracted
Protocol: smtp- Host:
mail.primevisionuae.com - Port:
587 - Username:
manpreet@primevisionuae.com - Password:
Pr1mevision
Targets
-
-
Target
RFQ U75553389.exe
-
Size
425KB
-
MD5
849c169c3d155741b67917f0d2fc1b42
-
SHA1
65564cc1e52e5ea21a58c2d58f783917194ffce6
-
SHA256
2214417ca9bcffaa0455831c963b576cbb072efb7ad6dca11068ebe69444cdcc
-
SHA512
52452aaedf176aaf4ce5e128a64dcf53d3c1fff31e472d6aab46f89ce79936a9a7bd840457687ab874ef1a954bfa912da6f8f4baa1499ea46dd7a77c6b5efdd1
-
SSDEEP
6144:mT4DtVDc8/gxCuWcoa4fuY9nNk7Us/MwIUvsu/w04rpsXesv/apx/c6v3suc9S+c:mTuStPuNkb/jVV4r+XlvS7x/suc0Gs5n
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-