General
-
Target
nSHIPPING DOCUMENT_9871610T00077003_pdf.cab
-
Size
608KB
-
Sample
231206-xa7l4sbf94
-
MD5
624abc807dde9168debfecd12ed68a39
-
SHA1
0caff508627beadb48a3c662f0f476e03c085604
-
SHA256
61a5dfe1070729024f430dc564ebe0b3b5e7566258fe06c9a132756b5223c73a
-
SHA512
b2de424cc9b704382739108fea40f48272cc87d0323ddd8a7cb19c6dc33812757138d1d6267ea5a3bf4bdfb585a394fc1d4604d9f852c205df3d236018517316
-
SSDEEP
12288:R6s8jX2yBOpMwZt+Oik9nwhBEm4pZ5fzJfO4mtRk3gFSAA:MLrgy8XtwhBH8Z5924mtRk3gIT
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.dcc-asia.com - Port:
587 - Username:
[email protected] - Password:
soso@#1235 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.dcc-asia.com - Port:
587 - Username:
[email protected] - Password:
soso@#1235
Targets
-
-
Target
SHIPPING DOCUMENT_9871610T00077003_pdf.exe
-
Size
639KB
-
MD5
c60068fde058f588a2b7fe236cfbc0e9
-
SHA1
d5b3d029b3645a1f2cbf14ec1d134276e47d60e2
-
SHA256
a75840200db6ba9313053ab15551f6c758d78ac9ffbe75ede0f36e744eaed24b
-
SHA512
146f766575aa3f81a4d90247871e17cd99bb572720f1a5b72a0ace9140476556d321e82526176bc831eefd029253c5fa627eb7ba78bbd73e2c080447fa2249c0
-
SSDEEP
12288:CE5QaueH5qjR82KUIdsNQ3GZDlOPk9JiPB7a4pZ5fBJfOUmtakjg7s:CE3qjWsI6wKo44PBu8Z5L2Umtaks
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-