General
-
Target
SecuriteInfo.com.W32.Injector.XBOP-6641.27720.28084
-
Size
514KB
-
Sample
231205-stg4cabg9t
-
MD5
11d897c228ac0e871e95d7ef0985504d
-
SHA1
4c73e879cc0f50fa0e07b60349e0ac3bfa53d2c1
-
SHA256
2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe
-
SHA512
03a23421f6b8871f279d1847278657baf190ed7fc881edad823ad93f4c2c26672a391aac786684ef64bfcf34d3742ba4d90bc87c49170de41996897fd75350db
-
SSDEEP
12288:Mbip2zW1/ykRVcJ5/N2r8lM9E9gE4UqlT8ICRhv1PNA9uLqSHhA4BL:MbiIzW1/zVGsX6SpZGv11A9hiBL
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.Injector.XBOP-6641.27720.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.Injector.XBOP-6641.27720.exe
Resource
win10v2004-20231130-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mcmprint.net - Port:
21 - Username:
[email protected] - Password:
pK@7[r0Y?XFT
Targets
-
-
Target
SecuriteInfo.com.W32.Injector.XBOP-6641.27720.28084
-
Size
514KB
-
MD5
11d897c228ac0e871e95d7ef0985504d
-
SHA1
4c73e879cc0f50fa0e07b60349e0ac3bfa53d2c1
-
SHA256
2b370d79df7c09342bb6fb8ad073474533310274a011593e4f40d6e7297b43fe
-
SHA512
03a23421f6b8871f279d1847278657baf190ed7fc881edad823ad93f4c2c26672a391aac786684ef64bfcf34d3742ba4d90bc87c49170de41996897fd75350db
-
SSDEEP
12288:Mbip2zW1/ykRVcJ5/N2r8lM9E9gE4UqlT8ICRhv1PNA9uLqSHhA4BL:MbiIzW1/zVGsX6SpZGv11A9hiBL
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-