General
-
Target
QUOTATION.zip
-
Size
427KB
-
Sample
230331-l9ngqshc53
-
MD5
ab48236e894a48db135c0e367093ba22
-
SHA1
6ab2aa1c63f182837466480ad0695128b27cb534
-
SHA256
e28188df2ced3fb282c0ad2f7fb0104df0d090aa9ca0435840af48f9c279f5d5
-
SHA512
a426178a3c99d393173d099d72ac999cbcc8034e6606a91a2f01edb1babb9c2813919eea24187325f7ffd9e33b28c2aac10ab205b632c6f1060a1ba90b1d9d7a
-
SSDEEP
12288:IlevCUDOjCwULASpTW4+ziH32ZV6Q5h9hg5kq:IlevC+qKX2ZV6laq
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
QUOTATION.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
QUOTATION.exe
-
Size
646KB
-
MD5
50d792a1ee7059bfaf34afd54b32cba8
-
SHA1
a4b32d17b36b20155545927450a43eb2d117a306
-
SHA256
1b85fb5069a28ee305b4371bda09a96674ec37d9ebc52aecdb6c6245419f067f
-
SHA512
85b75b15bdc59e7b12cae69c0d3245ef7b7d45cbb0a1a5e09232c03844400883dfe01a81a4d69752dcd43c7568f96e747959a28adb08e10c72aefa06e623afea
-
SSDEEP
12288:AKPFSP0zGiyywVbU+zi93cZ/6QlJ9hS2H:AiFSsGUwVbuFcZ/6d+
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-