General
-
Target
Fwd Shipment Arrival Notification of 772165397672.rar
-
Size
660KB
-
Sample
231023-e4et3sdh9t
-
MD5
22cd4b57176253afb3a21a8125691393
-
SHA1
b44a5ddd22c4029a8032c227cf2ed02125b6dbb7
-
SHA256
c8e8ec4644a64a23dc4d77aa42f20015e3acc28c685365029018f4e1514a07bd
-
SHA512
4140096ee95c551742694622718e8545b9bc06207af6d957ac1a6dd42ca993da74f227bf98846d637a3d7787ae7ebcb80319ace81197b87a90c90dc0a81358a7
-
SSDEEP
12288:EsnB/erJcM/kIFHB9PrLvzk1PqvwbmtdNBXYlSx0mAhTKCX:EssuM/kINB9PnI1yYbudboI0mGT1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.amtechcards.com - Port:
587 - Username:
[email protected] - Password:
]i[a(tUWlmp% - Email To:
[email protected]
Targets
-
-
Target
Fwd Shipment Arrival Notification of 772165397672.exe
-
Size
767KB
-
MD5
60f7e75cf623309ea9af1f7106f162b9
-
SHA1
4b345726e859ea482f97027696e27400bb2ea314
-
SHA256
591a2f88c0fe0329efd376a5b9d4345852d744204236c0a3659eb67ac7c3cc69
-
SHA512
915873c520a84623c8131c9ceee717482514af0043e0512b20581df105a9656b2314f0a009217738c411e18d20d510b3454d72e078ec4f69ba43bb3563f9cd94
-
SSDEEP
12288:dbFipxkQb5yzvbYmBH0dAAMi1seETMqnS9kzfbXI9FK+2pFsq4/t+ol3XSGHxe8D:hFi5ebY0UdArzMqnSezDXCK+EFsN/Qo1
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-