General
-
Target
8b042d13aa74c2c2fa7bcdf345f60f53c69721cd43648515abbe23a5b3853aa0
-
Size
530KB
-
Sample
240328-bvabfsac92
-
MD5
26fb066dda8ee5d29672ced8c73c832c
-
SHA1
1f525c92bf3ad97f5b9d8d5ec426a3b19a0d97ef
-
SHA256
8b042d13aa74c2c2fa7bcdf345f60f53c69721cd43648515abbe23a5b3853aa0
-
SHA512
5f79492716a36eb9d6db1dcea3a1b9fa978988fade65fe422bdc0b5607343f80db289238930cb6c386fbd197009cfb8ce6ec0523a2ee34b3e2bef1a525f13cb5
-
SSDEEP
12288:DlbPIiKPOVzvTq0pKgPu3q9PjreluucV/pxzG+xNf1nEs:5PIROVvTNKgPWSfVHlNGs
Static task
static1
Behavioral task
behavioral1
Sample
8b042d13aa74c2c2fa7bcdf345f60f53c69721cd43648515abbe23a5b3853aa0.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8b042d13aa74c2c2fa7bcdf345f60f53c69721cd43648515abbe23a5b3853aa0.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
pixel/Amerikanernes/Langobard/Expectorate/Inhaleres.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
pixel/Amerikanernes/Langobard/Expectorate/Inhaleres.ps1
Resource
win10v2004-20240226-en
Malware Config
Extracted
Protocol: smtp- Host:
shark.ipchina163.com - Port:
587 - Username:
[email protected] - Password:
jmgL01XJb+IK
Extracted
agenttesla
Protocol: smtp- Host:
shark.ipchina163.com - Port:
587 - Username:
[email protected] - Password:
jmgL01XJb+IK - Email To:
[email protected]
Targets
-
-
Target
8b042d13aa74c2c2fa7bcdf345f60f53c69721cd43648515abbe23a5b3853aa0
-
Size
530KB
-
MD5
26fb066dda8ee5d29672ced8c73c832c
-
SHA1
1f525c92bf3ad97f5b9d8d5ec426a3b19a0d97ef
-
SHA256
8b042d13aa74c2c2fa7bcdf345f60f53c69721cd43648515abbe23a5b3853aa0
-
SHA512
5f79492716a36eb9d6db1dcea3a1b9fa978988fade65fe422bdc0b5607343f80db289238930cb6c386fbd197009cfb8ce6ec0523a2ee34b3e2bef1a525f13cb5
-
SSDEEP
12288:DlbPIiKPOVzvTq0pKgPu3q9PjreluucV/pxzG+xNf1nEs:5PIROVvTNKgPWSfVHlNGs
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
pixel/Amerikanernes/Langobard/Expectorate/Inhaleres.Mak
-
Size
58KB
-
MD5
c14475f2dad1110109be23192921aaa1
-
SHA1
7ca72d139455072cb288ccfec10621d790f56e1b
-
SHA256
aa8f52c3a68e9d76445e97561f8cb538d55c92cb3f2eca91b22b60ea1fb9fa94
-
SHA512
eb8946338017dbc5ab392f965ae0d282aeae56c9a7df1b62170672894a7845e9de8ad490cd70dbbb95586d0cdfb6920a413f3b5e424364c99a3d59fe13953ac8
-
SSDEEP
1536:/Fn3muO3mB6YzCoc6r7WYeHDuD7Ul3vO2FSDi2:d2zWB62CaujHzBvOdDi2
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-