General
-
Target
RFQ5#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe
-
Size
468KB
-
Sample
231204-k42lqsab3y
-
MD5
1176d9cca7689d1c8556c8aba1bacd88
-
SHA1
f92eb85a60af4e0f5952455639e515d1155c0425
-
SHA256
945e176b7aa6d3b13ca4f6cd758fe5ee04c49ab1778c2b5433166dfce5adc9e2
-
SHA512
0a9a63439fc6e6a371748af64d305237bd445b352f2129a5ad34dec62c34dc572b7c4948023598f97689d7318ad8534c8c8242083ee114dede9a2a39e811bb43
-
SSDEEP
12288:xaWeoF7enyZ9NodKDMIWJ8HpnhE3xHGeomWpHXr:QWemCqi0MI0wnyGNv5
Malware Config
Extracted
Protocol: smtp- Host:
server8.apps.ae - Port:
587 - Username:
[email protected] - Password:
samadaok4#
Extracted
agenttesla
Protocol: smtp- Host:
server8.apps.ae - Port:
587 - Username:
[email protected] - Password:
samadaok4# - Email To:
[email protected]
Targets
-
-
Target
RFQ5#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe
-
Size
468KB
-
MD5
1176d9cca7689d1c8556c8aba1bacd88
-
SHA1
f92eb85a60af4e0f5952455639e515d1155c0425
-
SHA256
945e176b7aa6d3b13ca4f6cd758fe5ee04c49ab1778c2b5433166dfce5adc9e2
-
SHA512
0a9a63439fc6e6a371748af64d305237bd445b352f2129a5ad34dec62c34dc572b7c4948023598f97689d7318ad8534c8c8242083ee114dede9a2a39e811bb43
-
SSDEEP
12288:xaWeoF7enyZ9NodKDMIWJ8HpnhE3xHGeomWpHXr:QWemCqi0MI0wnyGNv5
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-