General
-
Target
Fra 592770.gz
-
Size
461KB
-
Sample
230526-ntewrsfg3t
-
MD5
f11ce2ea0976786a163ff6458192037b
-
SHA1
778a65e2eb1754177e5f4434ebfbd3ce718615e4
-
SHA256
337983575e80cb3730ba94f65113f5f2c2f68d634a9375692d9b2f9be3a3214c
-
SHA512
33a2d04a2eff5f25e92a0c0c4b3c76958ba11c929b83ea7fcf5b50fd58fff9058e4e50e5288f370cd1c90cebea7b6645f616be8ef7ca0815ab535f9735cf7d34
-
SSDEEP
12288:XCIUGDQ1qcBfHcf/3v/G9kAwzTBylM1fTrm3KLs6NIGRA7k5kG:X+GDQ1NBfS/3v/G9kAkToW1fTy30s6Nf
Static task
static1
Behavioral task
behavioral1
Sample
Kulbrintens.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Kulbrintens.exe
Resource
win10v2004-20230221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.otj.pt - Port:
587 - Username:
info@otj.pt - Password:
zrevuafs1kd4 - Email To:
atlantiidafacturas@gmail.com
Targets
-
-
Target
Kulbrintens.bat
-
Size
800KB
-
MD5
705bf7e1d7de9cef11f0e2602ed07aaa
-
SHA1
edd8565764e87a114fa683456c7285afcd500827
-
SHA256
7c65a78541ae61a1cb4415509a3e9c7a3a0d4dcf7200d9ec89536f37fd6b540c
-
SHA512
c03bc38fba3c1726764c56fc75fd04406b68ce833e7e19c80c4dc69433fc61ca2a4fe6c27d59147e0e6829299bf2be8d7c96387c9488a5ec609faab55c9c973d
-
SSDEEP
12288:9PKcWfPW1nUOMafEa841G5ZYKstRDZr+SN3xBG+:FWonUZafEc1G5ZYKsjFr+m
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-