General
-
Target
BLMEDUUN300433842109232701.exe
-
Size
988KB
-
Sample
230921-q91jhsad55
-
MD5
96c9e0100fbd228ab1cb55316b9c1113
-
SHA1
bc791da74ede19128b1b23dbbbbc20d520945792
-
SHA256
2c80f6ca80f4b688d703f2092d8b0326c1cdc338096dcc7ce7966514b8a7e0a6
-
SHA512
fc7f6b6be2af79cd7140bad44c7cbacd75281957acf69f9c955c56e6b5dc6df847629a5c62f7deeb527a4aefd804a44c75e545a87e88f72da5aed2cbdca9edc2
-
SSDEEP
12288:l0X6EczAQE9L8cWwqUXUp48Y+mukc10zPsyozhzoF871oQbvKVT:JEczAJWdp4JikLPsjhzJOQbvKV
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.westernguaranty.ph - Port:
587 - Username:
[email protected] - Password:
wgc_cl04 - Email To:
[email protected]
Targets
-
-
Target
BLMEDUUN300433842109232701.exe
-
Size
988KB
-
MD5
96c9e0100fbd228ab1cb55316b9c1113
-
SHA1
bc791da74ede19128b1b23dbbbbc20d520945792
-
SHA256
2c80f6ca80f4b688d703f2092d8b0326c1cdc338096dcc7ce7966514b8a7e0a6
-
SHA512
fc7f6b6be2af79cd7140bad44c7cbacd75281957acf69f9c955c56e6b5dc6df847629a5c62f7deeb527a4aefd804a44c75e545a87e88f72da5aed2cbdca9edc2
-
SSDEEP
12288:l0X6EczAQE9L8cWwqUXUp48Y+mukc10zPsyozhzoF871oQbvKVT:JEczAJWdp4JikLPsjhzJOQbvKV
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-