General
-
Target
Sales Contract DC-HHP-046.exe
-
Size
1002KB
-
Sample
231204-k4fz2aab52
-
MD5
95f1677bda0ecc9c08e5fa8df14c0e13
-
SHA1
8e40dd502651cee37fd7ee1eca5d34a3183a54c8
-
SHA256
6a785fc98d9962b475ba45b90865158bf15bdbbdc9caea83ea3afc3a84fed246
-
SHA512
b14a9cfb32964a80bc6a3fc1aef2cf54bf30ad31716aa6cca44d9fb6e033c22d843cc002c528a28c068f22cf5ae64bd3e6192d280565db2ffbd71755e6a52783
-
SSDEEP
12288:vp8FfEp4L+L/3FSr6RPO98wvpB6XFb6pwYETuWOmlHgKRKNIJX3hftGgNlsjQ:vpp4yckPyhBGx6ajNlHgKUKV3hIgnYQ
Static task
static1
Behavioral task
behavioral1
Sample
Sales Contract DC-HHP-046.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Sales Contract DC-HHP-046.exe
Resource
win10v2004-20231130-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.alrehmanglobaltex.com - Port:
587 - Username:
[email protected] - Password:
786@Pakistan
Extracted
agenttesla
Protocol: smtp- Host:
mail.alrehmanglobaltex.com - Port:
587 - Username:
[email protected] - Password:
786@Pakistan - Email To:
[email protected]
Targets
-
-
Target
Sales Contract DC-HHP-046.exe
-
Size
1002KB
-
MD5
95f1677bda0ecc9c08e5fa8df14c0e13
-
SHA1
8e40dd502651cee37fd7ee1eca5d34a3183a54c8
-
SHA256
6a785fc98d9962b475ba45b90865158bf15bdbbdc9caea83ea3afc3a84fed246
-
SHA512
b14a9cfb32964a80bc6a3fc1aef2cf54bf30ad31716aa6cca44d9fb6e033c22d843cc002c528a28c068f22cf5ae64bd3e6192d280565db2ffbd71755e6a52783
-
SSDEEP
12288:vp8FfEp4L+L/3FSr6RPO98wvpB6XFb6pwYETuWOmlHgKRKNIJX3hftGgNlsjQ:vpp4yckPyhBGx6ajNlHgKUKV3hIgnYQ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-