General
-
Target
e804c1c1ba4a78573799c2836aedd6c693fcafaff29af1a6b6c5eb36d86c647a_JC.7z
-
Size
605KB
-
Sample
231011-g1kl9sec81
-
MD5
384ee1a3a0b0323c882011f49280f6ef
-
SHA1
4a0a04d3033432055a5f76dcf6be775b455c0c7f
-
SHA256
e804c1c1ba4a78573799c2836aedd6c693fcafaff29af1a6b6c5eb36d86c647a
-
SHA512
3b291c956c5d28abf5eb3877386b45c9d21461cef3a38fe3c163109a8855b9b2dc4c793b2614be540adfb1cf58bdeff29bed1fce0575a1ceb4128c1ddd30c4a1
-
SSDEEP
12288:aQ+BZqpmeR042KPAALKscShUssxw1YIKkqKzX3JPY2iuUVUdKIjvO74c:cqkmJAgKsMVxw1PKkxHvcUzvnc
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.unitechautomations.com - Port:
587 - Username:
[email protected] - Password:
Unitech@123 - Email To:
[email protected]
Targets
-
-
Target
TH PG FORM E DRAFT FOR CEI2303125.pdf.exe
-
Size
781KB
-
MD5
06c8b7f78dba2ae3b809e9421cc0fbd7
-
SHA1
e2d34f41f171ca76f98bbe71aaa19e8233becfba
-
SHA256
26286ef181ca7f744d73b6922aadd24bf521de09e9fd149df088247314447075
-
SHA512
cece0c4fa19d551ce2ffebb3d1f023ca514c81c8d2de31b317693fbfdaadfe6b66c90f9eae7089c27328279817f96ebc0833676f3977e9490192f3d7d078affc
-
SSDEEP
12288:2Qc+UwZMMMDMMMcCUipLesc/79XsnwbYIKkKSzX3JPY2iuNmkov3fY+1:XLMMMDMMMcCFesM8nwbPKkDHv4BvvYu
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-