General
-
Target
QUOTATION.zip
-
Size
507KB
-
Sample
230402-m3hhksga24
-
MD5
7c00b7f52dd97aabc3f2f5882e1fc27a
-
SHA1
5bdff460107d3f0980ea6c0cb9204c76d277b471
-
SHA256
97dc660f0cfb6909975a36775b43cf0140691be53b14960877f000d437e939ed
-
SHA512
dcae9405094aa45d274dd8d124f8c41aed3f117882e321f829f6dd57a89de24fa11f3137fcf8bd531bb8c61339d8019f32da094602ac214bdb0c45679583ac7d
-
SSDEEP
12288:t9XaGEE2LKfIL2hTmiJoMDdFqv9626Gm7okH1F:nazqhTJzdFq162Sk8F
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
QUOTATION.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.southernboilers.org - Port:
587 - Username:
info@southernboilers.org - Password:
Sksmoke2018# - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
QUOTATION.exe
-
Size
725KB
-
MD5
627d531f2361508ce6d650dfb74f50b7
-
SHA1
74cdf31cf47ce5898fc6391bfdd1b8801bc2813f
-
SHA256
fa1cb59a2e33d1b2256194f4741afc762ef819cf058614afd490f56e5e92bcd5
-
SHA512
e13dc5bdf4e48cabdfe165fdad52c686d64d583e91d7251ea0b70d0437dd13be7fbbc56e5d81ae1647a6a04ff47a3c8aa84076ba5a049e907fa0dd02afa51066
-
SSDEEP
12288:nUuXMbBzUnxUn7bNVVebMyywV42hhmihgMDdvqv96q6GmdEk9z:fXMbynWnlwVHh1hbdvq16qSmu
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-