General
-
Target
20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.exe
-
Size
370KB
-
Sample
240515-lxdf1acb47
-
MD5
c47b0b123860ec7c7875dc27cd8909ac
-
SHA1
69dfba63167499227db3d0f3ae0bea3d8f18253a
-
SHA256
599973c508c9341b937561cbf8e9fe0976e438a94bf3b7714f0bca4c3d671c3b
-
SHA512
07ea0b81fcae582e20a2960652eac7f48a48f717085f523744bc3813c5bcf9ca5415672139ffa35b118e7adcff9a98e948a088430e7a1c573045e23bde1c7938
-
SSDEEP
6144:LspNjlspr76260rR2nw4r1wuY6gyVWLf7aM3t4SPRtfVWnguye/LF3UXAygd:LcqjpRkap+AzN3t4SPRtfVWguye/Ll4Y
Static task
static1
Behavioral task
behavioral1
Sample
20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Targets
-
-
Target
20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.exe
-
Size
370KB
-
MD5
c47b0b123860ec7c7875dc27cd8909ac
-
SHA1
69dfba63167499227db3d0f3ae0bea3d8f18253a
-
SHA256
599973c508c9341b937561cbf8e9fe0976e438a94bf3b7714f0bca4c3d671c3b
-
SHA512
07ea0b81fcae582e20a2960652eac7f48a48f717085f523744bc3813c5bcf9ca5415672139ffa35b118e7adcff9a98e948a088430e7a1c573045e23bde1c7938
-
SSDEEP
6144:LspNjlspr76260rR2nw4r1wuY6gyVWLf7aM3t4SPRtfVWnguye/LF3UXAygd:LcqjpRkap+AzN3t4SPRtfVWguye/Ll4Y
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
17ed1c86bd67e78ade4712be48a7d2bd
-
SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0
-
SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
-
SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5
-
SSDEEP
192:eY24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol+Sl:E8QIl975eXqlWBrz7YLOl+
Score3/10 -
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
b55f7f1b17c39018910c23108f929082
-
SHA1
1601f1cc0d0d6bcf35799b7cd15550cd01556172
-
SHA256
c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7
-
SHA512
d652f2b09396ef7b9181996c4700b25840ceaa6c1c10080a55ce3db4c25d8d85f00a21e747f9d14a3374be4cdd4ea829a18d7de9b27b13b5e304447f3e9268fa
-
SSDEEP
96:L7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN538:RbGgGPzxeX6D8ZyGgmkN
Score3/10 -