General
-
Target
officescan 1010SCO.pdf.arj
-
Size
113KB
-
Sample
240411-cnpm8scg8w
-
MD5
cd184b97e4ec6b9be6d67e49e7ea0c76
-
SHA1
2c23f6e8fb8f53b3a5bfdd0e3ba343fce2ba2dbd
-
SHA256
fed5acd194945445c36a7dcff55f3106a7c581e236a29d66a49a9777f7c73c5a
-
SHA512
46dafdaccceda6434f12c2e6bdc99390d8470ac1e30cf76c60fe3cbf1358cb94410540eef20ebd73d4348417cfc6ac722ba49cf06a8eb3f696ec5868d56a74a7
-
SSDEEP
3072:6anKY3SGFufH3bbFjPaSFnPXewsVRwrDCuQnOHdqK5:6aKMSGFufH3N1PuwsVRwruumOd5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
0nVaQweHLu8RyVL - Email To:
[email protected]
Targets
-
-
Target
officescan 1010SCO .pdf.vbs
-
Size
272KB
-
MD5
3dc581a23bc3d6115c76bc51cb512a53
-
SHA1
6fa8254d8d81ebb9effc26b6617084dc0f97ae9f
-
SHA256
457cda2f1a7e6a9082f3cfe7847a7d3937a5d7de90aefd06ebc5ed4f4255da49
-
SHA512
fe3d49f400587275506eee35b7ee35e00eeb4fce28a1fc207aea7163fd5fb54a30e2290e08ed33ef04d5a06bb319f13e6ecbb3d97502d37fa88f28d7fa62e26e
-
SSDEEP
6144:U5h1/GPWvV+kcuUxouBmfgbtosqFH8sBsnQAViKiDDCQbJPQf2/7cgU1bL5P08C:fmFb06
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-