General
-
Target
e65e27e0c4a8ea50e36985a26b33b672.bin
-
Size
14KB
-
Sample
230617-ccfwyshd9t
-
MD5
9358c1acb3ff895ed1ea2198595a25ef
-
SHA1
76ef8f36542fafb29ac69ca33e44da5d5755637b
-
SHA256
0c3270aa02d427984c0ca12d3ea6b3e62445b821bf736776a92614fe32717882
-
SHA512
193a99e1d6426d5f5592c525e3028c3bc8e2a445f1dcf1f1233a6c59061609069da12491dc52d8bf5a27e436c47a8dcb968a1c02eba99ca7297d0313c35ff084
-
SSDEEP
384:CoHA3yB//MG6s1BSKLzT1k1uoljL9Mzoc1NsQlZIfIQj:CoH0yB/UG6s1BSKvRk1/jy1NJZIfIQj
Static task
static1
Behavioral task
behavioral1
Sample
49daa059670f6f912d4754a24773df9326ef649f419ca2aaebcbee39e4b925e1.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
49daa059670f6f912d4754a24773df9326ef649f419ca2aaebcbee39e4b925e1.rtf
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
posta.ni.net.tr - Port:
587 - Username:
[email protected] - Password:
nilya1957 - Email To:
[email protected]
Targets
-
-
Target
49daa059670f6f912d4754a24773df9326ef649f419ca2aaebcbee39e4b925e1.doc
-
Size
27KB
-
MD5
e65e27e0c4a8ea50e36985a26b33b672
-
SHA1
47829286b8ab097fa79bf01bd6e8382f321843e3
-
SHA256
49daa059670f6f912d4754a24773df9326ef649f419ca2aaebcbee39e4b925e1
-
SHA512
496f269898d3f5e2154b3d4a3d99423be49d7925160f34a6eb00f4490b8de7ea9972d751bd5867600d473de391fd35478d9d840bb664892cfcfa4839a9231a9e
-
SSDEEP
768:wzFx0XaIsnPRIa4fwJMZnkIMFZy/XyNvdxKC:of0Xvx3EMZkDccvdxv
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-