General
-
Target
c2cd39749446ec1143a7cee483a189aa3d6f875eca52add69e54ec860c9a8827
-
Size
677KB
-
Sample
240518-j8592sbe27
-
MD5
0d7d363efb871cf9e0d90171459a14af
-
SHA1
a684f07da63832a6bdad69d805a31e244717f3a6
-
SHA256
c2cd39749446ec1143a7cee483a189aa3d6f875eca52add69e54ec860c9a8827
-
SHA512
0bd9dcb0d9d2b6bd4ad5e0d182be921ef52ff94564dadd3a0f705f074d1fdaa6411197ec25a89a2109f48a497abe25f86c7295c3e53feed7c39700c4b70511b3
-
SSDEEP
12288:eifQ2qj4vR9RCeRfyPlpIzeE/RUGW1GMOZR9bREzl/PRv1+Jvz7I/OwyJZ:ei42qjmw4fy9qzeE/RTnT9bSzl/x1QcS
Static task
static1
Behavioral task
behavioral1
Sample
32909bbd3c2dbe9566f238899fbceabb22c90d58cebfd60b83683fdde4634703.exe
Resource
win7-20231129-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.erbagelektronik.com - Port:
587 - Username:
[email protected] - Password:
Erbag2024!** - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.erbagelektronik.com - Port:
587 - Username:
[email protected] - Password:
Erbag2024!**
Targets
-
-
Target
32909bbd3c2dbe9566f238899fbceabb22c90d58cebfd60b83683fdde4634703.exe
-
Size
708KB
-
MD5
e7d4d2b32cdebd6cabe35743ebb18cea
-
SHA1
0bc43b55e25f9959b47cd54444c10564a576b460
-
SHA256
32909bbd3c2dbe9566f238899fbceabb22c90d58cebfd60b83683fdde4634703
-
SHA512
be5079b801f30a88dc5a57c959fc200b7255a6f55cc25394f1f5c5e496ade11f1881ac5174fac080fa684ac7b767dcdf8b59f02e42360e7c3fc094e593707a85
-
SSDEEP
12288:80pei36RcrhK2VAJZV5ZUARp3tbQ8LhzOn8mmjNkQ6eps1QRKY4506:/pp36KrZVAJZVwA3a8L5Nj6FeC1+KY45
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-