General
-
Target
6a6ca8111f066f7c4110c123af309080ceead65edc3e473e98ef4ec4020ab91e_JC.zip
-
Size
415KB
-
Sample
230919-tgb71acc63
-
MD5
df0ddc8aca2c59e3571553fd29adc5f5
-
SHA1
d0178b00a9d8c463d6fec37b01f48e6258adbb9d
-
SHA256
6a6ca8111f066f7c4110c123af309080ceead65edc3e473e98ef4ec4020ab91e
-
SHA512
c9e1406d7ce325a960e48187b4ca1b03c06c180ebcc6a64eaf2fa17ae5f9990edb8e0f0dab70f18051f6cc732ff53f4f78c9c94c6dcd2287c3d92ca4828e00e2
-
SSDEEP
12288:pk2YdZ6hsRuxnqWkAOVIOMLy6sABpn8si:G2YD6hZMLVIPLytz
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.unitechautomations.com - Port:
587 - Username:
[email protected] - Password:
Unitech@123 - Email To:
[email protected]
Targets
-
-
Target
purchase_order T&B19-20PO128.pdf.exe
-
Size
659KB
-
MD5
821f3780a936cbec78ef0a92a6abe240
-
SHA1
1068227546e0b7f016028033b34c3ffa5b3eb38e
-
SHA256
b57506921f2720895173741a012333b7f8b981a58dfa16493088371371b815c3
-
SHA512
cbe4077a61f22091b3d13d276ea637b097f192e0e0e9caf6bb379ff5211bb81cfcaaf854a29071a8c0e9054558d85fe605e1e3f3b3c0e07736c2e75518f3402d
-
SSDEEP
12288:93GBMjCfftXHRuznqQ+AORIKMLyUsiBpp8:9TkXEepRI7Lyn
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-