General
-
Target
swift copy.xls
-
Size
1.1MB
-
Sample
231211-smt5bsbfd6
-
MD5
66ca72c4462eaa25b60e6b763232a869
-
SHA1
5d867073ff9b46de8b7f205cad708c656fa35d05
-
SHA256
220fe5d95262f3b41e254a52b03b54e809ca4ef2ac80c7fb2048513ce34721dc
-
SHA512
2b3fffc7e555583d1d7d4f2e9eed8d54422cd555c1b5009abfd34bee429772871c9df9d44e948292af08d5e62d11dee4aab8afdf6ec7d5c272ec126265092ecc
-
SSDEEP
24576:lw6/6ZyXAXZS0IAXZSpkw6/GZyBcUfEx3jj6VDNanGdvKw2M8:W6/kBEsE56/QiffavMDNXCx1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.acestar.com.ph - Port:
587 - Username:
[email protected] - Password:
cssubic@12345 - Email To:
[email protected]
Targets
-
-
Target
swift copy.xls
-
Size
1.1MB
-
MD5
66ca72c4462eaa25b60e6b763232a869
-
SHA1
5d867073ff9b46de8b7f205cad708c656fa35d05
-
SHA256
220fe5d95262f3b41e254a52b03b54e809ca4ef2ac80c7fb2048513ce34721dc
-
SHA512
2b3fffc7e555583d1d7d4f2e9eed8d54422cd555c1b5009abfd34bee429772871c9df9d44e948292af08d5e62d11dee4aab8afdf6ec7d5c272ec126265092ecc
-
SSDEEP
24576:lw6/6ZyXAXZS0IAXZSpkw6/GZyBcUfEx3jj6VDNanGdvKw2M8:W6/kBEsE56/QiffavMDNXCx1
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-