General
-
Target
9ec70819dc9d3f98f1eed88a9ae64feb9cbeaaab1f6493cf4c9b145d0c41b1d2
-
Size
554KB
-
Sample
231201-gphnjafc97
-
MD5
6d83e2721177498d0133cd4cba5bdd56
-
SHA1
a0352dea49bdc720d9af6a30b071ef6059c6446f
-
SHA256
9ec70819dc9d3f98f1eed88a9ae64feb9cbeaaab1f6493cf4c9b145d0c41b1d2
-
SHA512
502fc3bef99e0f1b0f4c592baaba1ad30bb83e45401a3e780dbf904beac95070c723d651a00b4032905cf6e0bba37033bb65401ab86c3b80f19b9fd48312b53c
-
SSDEEP
12288:lL998WRjuub+q0GGvdZhfPbQA26t9BjtnHjn7Fxz8JgpdCRVI:lL998uTb+q0HFZRQArb7fxpYk
Behavioral task
behavioral1
Sample
Rybkdr.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Rybkdr.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
S,i*jv&Bj09k
Extracted
agenttesla
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
S,i*jv&Bj09k - Email To:
[email protected]
Targets
-
-
Target
Rybkdr.exe
-
Size
1.1MB
-
MD5
d6393631100d7160ca348397cb01943d
-
SHA1
3ff0803ae9fd31efc74bcb29006c1cbf29b03f75
-
SHA256
eea977d6c736325a557a0c31552c49c51399748fc138db772735109fb6510757
-
SHA512
efef9bd64c68757c762a2fdbeb21cc6fc504b85dfd4f468b13504b00b365b58cd83aad3dbbc1cc12c8688d74777d69d6e09685cc9310a0cd29885f6a74fea576
-
SSDEEP
24576:X1uC5JT92RkNSIXtzdf1ZOS0e42xWVYknV3G/Z:AKfRdtsS0e4GIV3GR
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect PureLogs payload
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-