General
-
Target
9376ee7b994f01a33b5bea31f4942e38bd00e4038e2a731385c332f15bafff9c
-
Size
660KB
-
Sample
240427-bebvcaff34
-
MD5
4e0c1ac48d4a4096a9e3228b566cf18c
-
SHA1
9d55681c454b5bda8c19035f7256616ee2945c91
-
SHA256
9376ee7b994f01a33b5bea31f4942e38bd00e4038e2a731385c332f15bafff9c
-
SHA512
2759bfe9e6c71a0ace0c921e5c29b28e2ce7358d9b8a1ee0469401a4b3269dfc2496bb4b127eaeb77f932758850ea8ac6f99cf637ff41ce24987e40c6b5c06db
-
SSDEEP
12288:gVLb7uDICM9JASrzLoU0sD28/8pPzs+9vpPYX3U+Dm2e8m0oGpyci:gd7uECM9HrzLdZN/Q7b9KEqecq
Static task
static1
Behavioral task
behavioral1
Sample
9376ee7b994f01a33b5bea31f4942e38bd00e4038e2a731385c332f15bafff9c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9376ee7b994f01a33b5bea31f4942e38bd00e4038e2a731385c332f15bafff9c.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vhscrew.com - Port:
587 - Username:
info@vhscrew.com - Password:
investment123
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vhscrew.com - Port:
587 - Username:
info@vhscrew.com - Password:
investment123 - Email To:
cherry@dgmnigxing.com
Targets
-
-
Target
9376ee7b994f01a33b5bea31f4942e38bd00e4038e2a731385c332f15bafff9c
-
Size
660KB
-
MD5
4e0c1ac48d4a4096a9e3228b566cf18c
-
SHA1
9d55681c454b5bda8c19035f7256616ee2945c91
-
SHA256
9376ee7b994f01a33b5bea31f4942e38bd00e4038e2a731385c332f15bafff9c
-
SHA512
2759bfe9e6c71a0ace0c921e5c29b28e2ce7358d9b8a1ee0469401a4b3269dfc2496bb4b127eaeb77f932758850ea8ac6f99cf637ff41ce24987e40c6b5c06db
-
SSDEEP
12288:gVLb7uDICM9JASrzLoU0sD28/8pPzs+9vpPYX3U+Dm2e8m0oGpyci:gd7uECM9HrzLdZN/Q7b9KEqecq
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-