General
-
Target
tmp0j754zx0
-
Size
627KB
-
Sample
240327-cey6bahh74
-
MD5
c0171e72a0f15b0f96fd44a248a2a898
-
SHA1
d5d97cc94e6b267ed9b7151bf56c52b0679bbe78
-
SHA256
c4213933d7d0d0e76edb873e4991a97e92b3dbc62a8b39e70ae4eba8ab908906
-
SHA512
c89bfd238b8885b5e57afebb69d26d35c7e93fbcd34724edb452de7841d03334050edf63f3cdd540357197d55ddd4ed29ba7888505a6b485bd2149cdead5188f
-
SSDEEP
12288:1z64+JKNOfpPP78q1eJX1kbBuqcM0aYjP6gG:I4KJL84e1IBh6aY3G
Static task
static1
Behavioral task
behavioral1
Sample
tmp0j754zx0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp0j754zx0.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
systemmssig/Uigennemsigtiges.ps1
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
systemmssig/Uigennemsigtiges.ps1
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.legodimo.co.za - Port:
587 - Username:
[email protected] - Password:
IFfo%142#
Extracted
agenttesla
Protocol: smtp- Host:
mail.legodimo.co.za - Port:
587 - Username:
[email protected] - Password:
IFfo%142# - Email To:
[email protected]
Targets
-
-
Target
tmp0j754zx0
-
Size
627KB
-
MD5
c0171e72a0f15b0f96fd44a248a2a898
-
SHA1
d5d97cc94e6b267ed9b7151bf56c52b0679bbe78
-
SHA256
c4213933d7d0d0e76edb873e4991a97e92b3dbc62a8b39e70ae4eba8ab908906
-
SHA512
c89bfd238b8885b5e57afebb69d26d35c7e93fbcd34724edb452de7841d03334050edf63f3cdd540357197d55ddd4ed29ba7888505a6b485bd2149cdead5188f
-
SSDEEP
12288:1z64+JKNOfpPP78q1eJX1kbBuqcM0aYjP6gG:I4KJL84e1IBh6aY3G
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
b55f7f1b17c39018910c23108f929082
-
SHA1
1601f1cc0d0d6bcf35799b7cd15550cd01556172
-
SHA256
c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7
-
SHA512
d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa
-
SSDEEP
96:L7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN538:RbGgGPzxeX6D8ZyGgmkN
Score3/10 -
-
-
Target
systemmssig/Uigennemsigtiges.Pro
-
Size
58KB
-
MD5
3c4c7decc6f175d87765a3e45b653749
-
SHA1
e9d3c7db2f91673fed217511890faaa5f049512d
-
SHA256
e3aaf138e1f9c9d0247633ab3042583bc73730e32d552331d818ac4a2666e828
-
SHA512
e5862e7c8294e3d1c1c0792434157bdf3ff041d41264ffa888ef51d26202e0a130e23959e543003aae478e933b2274f918b7b6ff066b11523d0f95fffeb7a75d
-
SSDEEP
1536:rUgawnJYmeXBUJjRWm9Ky598waGjU3z6s:ggL6Usm7CP3X
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-