General
-
Target
RFQ#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe
-
Size
419KB
-
Sample
231204-k6rjjsab74
-
MD5
e5affde0f5a1c4a9add0486f25a7a84f
-
SHA1
a162bb997b463eda62d6fbbda2d1cb3df1a3c39b
-
SHA256
a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
-
SHA512
21fee0d115cc0dec2689eb9fe5926603c6c0d44e95f5f6733824d1452a7dfce6fae2d077d351250b12de391de474cf84e99df94d20c62b3a2c9e16d60c1d09a2
-
SSDEEP
12288:QaWD2cfgiCZWzsACEPn1bpb5eYErd0CL4rTsv:hWy4HChACCnNpb5eYIBLSa
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
RFQ#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
Protocol: smtp- Host:
server8.apps.ae - Port:
587 - Username:
[email protected] - Password:
samadaok4#
Extracted
agenttesla
Protocol: smtp- Host:
server8.apps.ae - Port:
587 - Username:
[email protected] - Password:
samadaok4# - Email To:
[email protected]
Targets
-
-
Target
RFQ#467_DECMaT_PRODHangzhou_Zhongniu_Import_Export_pdf.exe
-
Size
419KB
-
MD5
e5affde0f5a1c4a9add0486f25a7a84f
-
SHA1
a162bb997b463eda62d6fbbda2d1cb3df1a3c39b
-
SHA256
a057aab2994c9b2d3214e2ebdfa28dcce023546bf7154c8832bd27112c693e86
-
SHA512
21fee0d115cc0dec2689eb9fe5926603c6c0d44e95f5f6733824d1452a7dfce6fae2d077d351250b12de391de474cf84e99df94d20c62b3a2c9e16d60c1d09a2
-
SSDEEP
12288:QaWD2cfgiCZWzsACEPn1bpb5eYErd0CL4rTsv:hWy4HChACCnNpb5eYIBLSa
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-