General
-
Target
invoice.zip
-
Size
599KB
-
Sample
231212-r1bdpsefam
-
MD5
744c7214a3c02b2be5d1f3f1db4895d2
-
SHA1
51366b12a6afb55c515441cddcbc7a282af74f83
-
SHA256
d2d9e4702bd5fcdd2c230531aaf812745ee1c6a608ca25d793338b1e281aea17
-
SHA512
5a73c5309519f51a0efd6c2248951050534ddb5b7eb9a9e0f7a90fad8fd795fb9a37534712f7f0f601b93de777cca204b59cb0d10705917a9a20fa6ce1faf4ca
-
SSDEEP
12288:IxJZFl6oqBdQ60ycyDEkjA0wqN72cVoG9pQw9DNuWh9m/WvDz2YXVL:IxJZv6C60y77EHgvVZ/Q8DUoo4TXV
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
invoice.exe
Resource
win10v2004-20231130-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
host2069.hostmonster.com - Port:
587 - Username:
[email protected] - Password:
me!@#!@#!@#!@# - Email To:
[email protected]
Targets
-
-
Target
invoice.exe
-
Size
617KB
-
MD5
bdedff7283522a464ce8b8f0462af80f
-
SHA1
1a9aa24b394506f87c848f8bca2ac56946d03c54
-
SHA256
5f098e8e5a3788ca13ef019ec9cc3e4b0cd83f01b96f7f7610c273ae6e6e97a7
-
SHA512
c3a15670fb12624123e620271c4c7ea2834b76f31b72b63caaaa22cb333151c9dd043c7355254ece1d976317363aafe2b89e539abf17823b0c6b010336b1eeb9
-
SSDEEP
12288:D3IU8S6eUd5x00ceDEkjA+wI97GctoG9pQ9yKyRHBD8JPMExtCQq:zItSAd5x00p7ERI/tZ/Q9yKQx8JPMGT
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-