General
-
Target
IMG_008542100.pdf
-
Size
1.3MB
-
Sample
231212-myssrabfem
-
MD5
2f1d6b1a0ba37b4a5b7a62de21886b18
-
SHA1
f0d8b39999e566f5177dfcfb73843a35f62e0100
-
SHA256
ca28f4b4337e38b1d178853fc72012895eaee002bec90d907b177623eed6967c
-
SHA512
636b628e22f7ae1c3ca2f2e7323dc0a4787ae8108ed650594d1bdf0d7b3244ac6c3ce4254e5fc24414b30f3821ee5d8dc831d3f2032561221b27b71fc30501ea
-
SSDEEP
24:WbKZ7EjswTw+Lwky3lD6E5wkMMJIWgIXG2CSYapAakwOerXQr/3SlJiNno2fuxk2:tmswTwGwkyV1wkMYXG2lNkmXQbOiN0J
Behavioral task
behavioral1
Sample
IMG_008542100.pdf
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
IMG_008542100.pdf
Resource
win10v2004-20231127-en
Malware Config
Extracted
http://62.233.57.103/hih/lew.exe
Extracted
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
&qZV17u[D~36
Extracted
agenttesla
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
&qZV17u[D~36 - Email To:
[email protected]
Targets
-
-
Target
IMG_008542100.pdf
-
Size
1.3MB
-
MD5
2f1d6b1a0ba37b4a5b7a62de21886b18
-
SHA1
f0d8b39999e566f5177dfcfb73843a35f62e0100
-
SHA256
ca28f4b4337e38b1d178853fc72012895eaee002bec90d907b177623eed6967c
-
SHA512
636b628e22f7ae1c3ca2f2e7323dc0a4787ae8108ed650594d1bdf0d7b3244ac6c3ce4254e5fc24414b30f3821ee5d8dc831d3f2032561221b27b71fc30501ea
-
SSDEEP
24:WbKZ7EjswTw+Lwky3lD6E5wkMMJIWgIXG2CSYapAakwOerXQr/3SlJiNno2fuxk2:tmswTwGwkyV1wkMYXG2lNkmXQbOiN0J
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-