General
-
Target
mx5YxLHScoqMImo.exe
-
Size
1.9MB
-
Sample
231205-hzdm1aaa56
-
MD5
4e4c867be87859bce4c0ca42afed00d8
-
SHA1
186ccbb0eb39426dc0439c7dd388930dec0ebf2f
-
SHA256
d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970
-
SHA512
39ca9e1845f4958370999fa28f635637b0ffe0b25ab047a6921245037de2dcd0e2313e3bd7f21b9cff8c28209737e43dd50b4a47618f81de812da8d2667a7610
-
SSDEEP
49152:nGpbwGhL9CgTtXcF8cpaR9MM2Tx2v8ZqgpKVad+WjGAmUjgwRl:nGpbwGpZTJc2cpW9Mjx2vGqgpz+WjGAj
Static task
static1
Behavioral task
behavioral1
Sample
mx5YxLHScoqMImo.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
mx5YxLHScoqMImo.exe
Resource
win10v2004-20231127-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.globalifb.com - Port:
587 - Username:
[email protected] - Password:
&V._KD=;{GH6 - Email To:
[email protected]
Targets
-
-
Target
mx5YxLHScoqMImo.exe
-
Size
1.9MB
-
MD5
4e4c867be87859bce4c0ca42afed00d8
-
SHA1
186ccbb0eb39426dc0439c7dd388930dec0ebf2f
-
SHA256
d9426f66ba3dbff178904ff41cbddf65618a0b7b776b460c5b4af3f3f78ab970
-
SHA512
39ca9e1845f4958370999fa28f635637b0ffe0b25ab047a6921245037de2dcd0e2313e3bd7f21b9cff8c28209737e43dd50b4a47618f81de812da8d2667a7610
-
SSDEEP
49152:nGpbwGhL9CgTtXcF8cpaR9MM2Tx2v8ZqgpKVad+WjGAmUjgwRl:nGpbwGpZTJc2cpW9Mjx2vGqgpz+WjGAj
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-