General
-
Target
3F1D82991F839EA53AD6BD8CE9BBCADB610B01A6AA6C3CD3425AD24684836C56
-
Size
269KB
-
Sample
230518-cet7cshb92
-
MD5
9947af885dfd9d273b63b84179cd0a51
-
SHA1
90388c8f2e968214fa382eff984e2b0094173037
-
SHA256
3f1d82991f839ea53ad6bd8ce9bbcadb610b01a6aa6c3cd3425ad24684836c56
-
SHA512
17a70130444b765df5d8e59cba620b05131c1c6202c4fd6d2e1e9ed01593cd5b867be0ff2083b06c993d9d67d8a0b532eb53f2bb4e38eb39303934e7b94b53d2
-
SSDEEP
6144:BRYSdg+BS3Lm2gqYgXdcV4uoElcIZHxN7/0RJct3UBw:HC+BS3LHglOcV4ZElco1Iw
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mcmprint.net - Port:
21 - Username:
[email protected] - Password:
FpFpVzJdTV!d
Targets
-
-
Target
MT103_0311021014 PDF.exe
-
Size
298KB
-
MD5
b0d667aad13369585fb9399464927bde
-
SHA1
c34036ae5e27f405d2ed874a65e2dc86852b65f1
-
SHA256
bc31dc9da857aefa9d8865b8045b32e4af5a76f138c89f533c40ce1c662fd89d
-
SHA512
3db2da5ef2c5a745ef00f0ce0e3243fac5623b80771641d574421cf9003a287f98fc2f2664c3f6a541a718d8ead1c779cedd6ec24ad57ac2611095be123f8919
-
SSDEEP
6144:V1onEmMMMMMjMMMMMMMVW2S3LmcgAo0RJc54uoElKilHxN7/8RJ0tx2B:HodMMMMMjMMMMMMMV/S3LTgBMc54ZElK
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-