General
-
Target
QUOTE DOCUMENTS_20240511 PDF.zip
-
Size
601KB
-
Sample
240125-tdwr8sabc9
-
MD5
4e70462fa560292704e02b507846a9d8
-
SHA1
26e2914a35a4ab5d2784e28217c065241967546b
-
SHA256
6ffaaebb19875b9595f10244b5f4511620da8ce6d554c86bd9c00308b28a0c37
-
SHA512
ae9bdcff74e8dba732124cf0c9cd95271061f3835c3e20adb3621560bda2d88bbd327901f6326b8da7a1cef22d537481291d2c82316469d621da97b687a9a664
-
SSDEEP
12288:UWEwy1JD2V2x5S+ymUYUwR8RzuxUW1JnUmo/TaJpdvTKeT0QEkR:21qVA5S+ymr8QxUW/UmPJTG+qkR
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE DOCUMENTS_20240511 PDF.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
QUOTE DOCUMENTS_20240511 PDF.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.coperwire.com - Port:
587 - Username:
[email protected] - Password:
H,)c,gn[z3QW - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.coperwire.com - Port:
587 - Username:
[email protected] - Password:
H,)c,gn[z3QW
Targets
-
-
Target
QUOTE DOCUMENTS_20240511 PDF.exe
-
Size
619KB
-
MD5
a02c28ae52f16981e6420d7871fd437a
-
SHA1
2d66f9180a97b501b67d481a03d28249c8c86911
-
SHA256
6f932d1404a384f3e5d190bcde1c819fb7a50daebabdd4c0384a65cb4fcb00de
-
SHA512
eca7ec594689ba6788ceb06c8d0c1acc22a6b112795fb2220ebfb31ec032014a8aa89f6300e6a38e311f4672c2da6260df2b4f5416fbdb97ad87cdce9f4a7282
-
SSDEEP
12288:NiU3YSTvgxVS+8lfDTjshLVNQ5GKLmKyPn+KhaJxdhTKeTb+C7Sj:oJ6SVS+85/8RNMbLm7+KAJbk+b/7Sj
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-