General
-
Target
PRICE REQUEST FOR PO#017897.exe
-
Size
423KB
-
Sample
230403-gm2nmaee4w
-
MD5
17f10da48f408784b89b99b63c03c86f
-
SHA1
716060ed46ff43fa9d34dc549175182d1780425b
-
SHA256
c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
-
SHA512
4c3c6ac20e4f9c130448bbd38050852f77e7b86776a1f24fce59c41f03befa35a5bb82367fb6055f4ff4fefcf3316f891e8c1163ac5724a3f78076702e701d9a
-
SSDEEP
6144:mT4DtVDc8/gxCuWcaUJSjqGV5+tgiTIF15HSUDsBeavld1RQsdlYMnkxaz5T:mTuSt3J6qsisSysLvld1X8Mncs5T
Static task
static1
Behavioral task
behavioral1
Sample
PRICE REQUEST FOR PO#017897.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PRICE REQUEST FOR PO#017897.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.primevisionuae.com - Port:
587 - Username:
manpreet@primevisionuae.com - Password:
Pr1mevision - Email To:
africanjass@yandex.com
Targets
-
-
Target
PRICE REQUEST FOR PO#017897.exe
-
Size
423KB
-
MD5
17f10da48f408784b89b99b63c03c86f
-
SHA1
716060ed46ff43fa9d34dc549175182d1780425b
-
SHA256
c92700f557efbce3d2bdde80abfe0397c6816f4df90487f2fae25d05ecdb1581
-
SHA512
4c3c6ac20e4f9c130448bbd38050852f77e7b86776a1f24fce59c41f03befa35a5bb82367fb6055f4ff4fefcf3316f891e8c1163ac5724a3f78076702e701d9a
-
SSDEEP
6144:mT4DtVDc8/gxCuWcaUJSjqGV5+tgiTIF15HSUDsBeavld1RQsdlYMnkxaz5T:mTuSt3J6qsisSysLvld1X8Mncs5T
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-