General
-
Target
2784277bd68152abf75c6c6d59fab7af.bin
-
Size
2.3MB
-
Sample
240422-bhm2sadd45
-
MD5
6289fc334a891dafe795b29a6ab0651e
-
SHA1
c8455171cf69b5d788a49027999e647e99de8784
-
SHA256
f7f0d4807d0f122eb51a61e3e3899f141a0cbd89c51515dd6216053df160fa9c
-
SHA512
efeebc73a253107821971efa3e999fa5227e544833ac980a5b8988ee2246cb38db69439dce6508ec34f09e9919995a4282bf18bd5ad1cba081c255fb81e88dc3
-
SSDEEP
49152:7HY7ZV4HSlHLySg9UBnUppNKDT0yUl/a10CnAulo8dq7gS:7HY7ZqQeD9U4KDIHmrJqkS
Static task
static1
Behavioral task
behavioral1
Sample
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe
Resource
win7-20240221-en
Malware Config
Extracted
umbral
https://discord.com/api/webhooks/1225910337656590376/EwVP3wlMQgDXxoBxwLhaflFWF2WGja-17Tz3uwtoNirVyl9iU_nVCUsOrUJN46JTk-_-
Targets
-
-
Target
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc.exe
-
Size
2.3MB
-
MD5
2784277bd68152abf75c6c6d59fab7af
-
SHA1
e1d047c97e3bdfe273b215b42eccde32ca2ca63f
-
SHA256
737bba8d3e9ad3e1526bf5949962af3b37107c80c767c473a820999eae507fbc
-
SHA512
e05b8251c9f6c59c7901d72c58f5b8c35dc376068368e67f81ee79da4287ddfc25c6ca5893d87944ed21c592bdd62f57d40a9f78c9af56762f33b010dd10b62c
-
SSDEEP
49152:T2Q8G4mSmM8sik/AJ+/GRfzlW+oCZBNKoiYNsVjGMFWm02qG6zSo2:T2VmT8B4JAGllW+DBNdtN811
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Umbral payload
-
AgentTesla payload
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-