General
-
Target
18efb91c0c6f0dec6620bf5e170ba7803a1d2e208c2545f3580d265a782cb745.7z
-
Size
697KB
-
Sample
240507-v4tagagd4v
-
MD5
bb0784cacd5ff0f33b3e2acc3b8b1ffc
-
SHA1
23a9ba49b42bebf243e6493bc0a4fc74b3fc4bcf
-
SHA256
18efb91c0c6f0dec6620bf5e170ba7803a1d2e208c2545f3580d265a782cb745
-
SHA512
dbd15e5b3deaa22a980fb66d1a8fc33513ad3bc0f6aa6b63e28708ffc6a4033e7ff0484e90ff0a644fb28c4ee5f99aeb319e3ebdfe6abf2714d57e8a9fc6a8ee
-
SSDEEP
12288:SVl11eBSxY7Xfpeiwd5EJOtmaqluVirE+nf33eMTeb2denZ5au9moQh5H6eGx3yu:S/1qSW1e9DtmR6qtf/Teb2ivW5H6dtyu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
NEW SAMPLE ORDER.exe
-
Size
886KB
-
MD5
755bd5d68b7534193c16fbde38f20bf1
-
SHA1
a8e68805e2cca84d6f0c1f4525eb5bcfdd29587c
-
SHA256
30118db79f45d9e495d85d5188ebc4e010a2bc33258b8b0d0d1abfd1f056502f
-
SHA512
89c23f3a6e879ba82d69dee9e715ece517abd467f678a28e96eb0ba1c7e3a7fa12e1be611d16956e47672938ac2cc41c078d70a083d57214f43f383f2f9a920e
-
SSDEEP
12288:MHbCiAEfDOKa9Uis/5EDOj3SqlV7iOE+nf336MPSbZYALL5xuieo8YXHAq4UkR:+CRE7OK2Ux7j3ZtRtfjPSbZR8MXHAqk
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-