General
-
Target
c357bab032ab8f7847f028c4fc042ddc9f19c31e51ac1177a00bf6ab8a230eef
-
Size
647KB
-
Sample
240430-bg6shagb71
-
MD5
aecf053ff7e1b7562f1fb5a17b1052fb
-
SHA1
1770148ae799fd48dff9bb5faf6263ae8820f94f
-
SHA256
c357bab032ab8f7847f028c4fc042ddc9f19c31e51ac1177a00bf6ab8a230eef
-
SHA512
b844e7d8736213b57aad7229a2cc10d90835a1417d99f16f91e012c608e27a1ff25044c27fbf27ac7d874b407c15e56cda9c6ff1398ab1a529a8640f7192043f
-
SSDEEP
12288:pbEUjHBP8dcxx/TLUCDVoLGHuf2jmJE0ONgXaUj6+tFTt0/EJot5NJufy:pbEc/bLUTRLJiNlUZbGE+t5fgy
Static task
static1
Behavioral task
behavioral1
Sample
POP SLIP 8xXhBLGyDgYrmSx.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
POP SLIP 8xXhBLGyDgYrmSx.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
PMOYQrU0 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
PMOYQrU0
Targets
-
-
Target
POP SLIP 8xXhBLGyDgYrmSx.exe
-
Size
697KB
-
MD5
ac26d2cbb10147452d05954370444a1b
-
SHA1
64257dbb911889303be1ed73518fa9525e068428
-
SHA256
c7174f7a64121e448a1789b703c2e263b1f9db4bc52aa3aeceded1879905af6c
-
SHA512
043d49cfe502e5f930d5c6c1b43d2cf07ac1fa97044077373f1cafcbf8623c2cc5fa1a99a022fa00ebefb7bd734cdf38265ac29804e328ef8c797c1318562899
-
SSDEEP
12288:1+DbgvUB778Qeexx1rNUCDVCLU5uf2tkJCwON8/aUHOYtFsBnTadozPP3JCrhd:UgsBZj9NUHbRJMNfUlkTaSzPP0hd
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-