General
-
Target
495b0122-e196-4271-8992-bc9b22c8a5af.rar
-
Size
687KB
-
Sample
230330-wls3esfb6w
-
MD5
14a7895f66e0cb9c00b477baac4f324c
-
SHA1
8806eab80b54f25f47645f49f15f26cb04f604ab
-
SHA256
eefa163975eecfca65224623f2ba310e633d98d62e35bd8f0f0a5127ea37a246
-
SHA512
4c9b5c85dec5dd5c446622258a1de9d3075399f3953c92bf9c3c437f6f41eba023b635ae608df2b283861b2505eba1d2cdfc325cef8c56809aa57cf0548684be
-
SSDEEP
12288:PTm0b92HKtXt1pC80ZoYInnitBWarBcufCuyfStzzwW4blUKY6:y0AWxORysCffStyY6
Static task
static1
Behavioral task
behavioral1
Sample
495b0122-e196-4271-8992-bc9b22c8a5af.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
495b0122-e196-4271-8992-bc9b22c8a5af.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ardsmmm.com - Port:
587 - Username:
ebru@ardsmmm.com - Password:
Ard2015** - Email To:
oficinaabonosjuanluca@gmail.com
Targets
-
-
Target
495b0122-e196-4271-8992-bc9b22c8a5af.exe
-
Size
767KB
-
MD5
b6109aab2d2a51ea0c6f6b28aa2a869a
-
SHA1
c02f08dea05b56f953b5c724499c552dc7126c4a
-
SHA256
2abb89507bbcec354ea3293c13851505059ade5b0b6070793cd69e44e01dcceb
-
SHA512
9651051086d96a83fcbf8cfcd11f2e569a08a905e74deece22756a357594c601be05fa81f9d624c2c6014cf4a5a9ad9ca5a904751faf53d7a0e2dd3870e7b627
-
SSDEEP
12288:/ghti/pICWSh/cg9E2bCVGpzOH/8/6l0ankiuhSnRTt1q15WkndorDNJcaugJjUJ:4O2ohkgO2Goek00ankzhSpXq15fndorw
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-