General
-
Target
qFbGYuKhG1.exe
-
Size
647KB
-
Sample
230330-p3atvacf85
-
MD5
4f34b0b75d7b9ebf3fbd77915cba976f
-
SHA1
6b8a77a3a2c4a24c8ad7837fbf4c36e822953345
-
SHA256
7333b7b77d906d10a63058e19f45e6cacd7c0295b229910cf30e5449085b365f
-
SHA512
c378d935732dd002d850e207a74b7927924c26152e06250c9a02aca4c1e550953d9fd26d7d52566d7d51792a58177346eb2a3af7be2f737f06af2db259682ba3
-
SSDEEP
12288:MQw8m/eoBcBWYwywwpyuTdHEnyzW8M1s9d8fYf9/Ksq/KsI/Ksp:qNBcBWYYwD+KW8HkMtio5
Static task
static1
Behavioral task
behavioral1
Sample
qFbGYuKhG1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
qFbGYuKhG1.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.kumbarasigorta.com - Port:
587 - Username:
ceren@kumbarasigorta.com - Password:
Ceren1234. - Email To:
jodyfuller356@gmail.com
Targets
-
-
Target
qFbGYuKhG1.exe
-
Size
647KB
-
MD5
4f34b0b75d7b9ebf3fbd77915cba976f
-
SHA1
6b8a77a3a2c4a24c8ad7837fbf4c36e822953345
-
SHA256
7333b7b77d906d10a63058e19f45e6cacd7c0295b229910cf30e5449085b365f
-
SHA512
c378d935732dd002d850e207a74b7927924c26152e06250c9a02aca4c1e550953d9fd26d7d52566d7d51792a58177346eb2a3af7be2f737f06af2db259682ba3
-
SSDEEP
12288:MQw8m/eoBcBWYwywwpyuTdHEnyzW8M1s9d8fYf9/Ksq/KsI/Ksp:qNBcBWYYwD+KW8HkMtio5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-