General
-
Target
ungziped_file.exe
-
Size
504KB
-
Sample
230403-gm2zdsee41
-
MD5
4e779addb4aeb32182ad139fdf0b5045
-
SHA1
8313c21225aaaa03d09947843d44e33d3e513257
-
SHA256
4da86275e812956ff0873926fc947334e4a398a623241028babaabf252a2ea0e
-
SHA512
a603d57a958c815c5c353fb18c150325bd614ab2b708ceadce6677f6dc5cd324ce668e90edfa5e23113604d43764a639daac7f1d73cf93236eee93cba08f63bc
-
SSDEEP
12288:nz9GxaChlC3qKOcVbNUW+YCt/JSyhtrVtYHe4P1vg:cC3iKNUWuSyhtTYH7P1g
Static task
static1
Behavioral task
behavioral1
Sample
ungziped_file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
ungziped_file.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.homesteadgroove.com - Port:
21 - Username:
ceecee@homesteadgroove.com - Password:
430M=DwOtIfm
Targets
-
-
Target
ungziped_file.exe
-
Size
504KB
-
MD5
4e779addb4aeb32182ad139fdf0b5045
-
SHA1
8313c21225aaaa03d09947843d44e33d3e513257
-
SHA256
4da86275e812956ff0873926fc947334e4a398a623241028babaabf252a2ea0e
-
SHA512
a603d57a958c815c5c353fb18c150325bd614ab2b708ceadce6677f6dc5cd324ce668e90edfa5e23113604d43764a639daac7f1d73cf93236eee93cba08f63bc
-
SSDEEP
12288:nz9GxaChlC3qKOcVbNUW+YCt/JSyhtrVtYHe4P1vg:cC3iKNUWuSyhtTYH7P1g
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-