General
-
Target
c372c6cffdd9eaa2b091ecada65eb72c21d39fd00eb1dcb8cfbbbc1830c376c8
-
Size
684KB
-
Sample
240519-bmqcpsae8y
-
MD5
c26c8968925b61681fdee20b912d6a6d
-
SHA1
a51d6ad78b12a3f7285fd0523cc452f4796d03b5
-
SHA256
c372c6cffdd9eaa2b091ecada65eb72c21d39fd00eb1dcb8cfbbbc1830c376c8
-
SHA512
02ea998d7ff9e191c1c3fe789b7576cff0201aeb472d3c7bb5206fe5a5b6a6515b8cdd848ba71209e7ea9a4968375d5fd3d5be1b17f2ca579f34ccd393c2a3c3
-
SSDEEP
12288:iQaRdnGmeLAfJ53CLxHWKPkazDshHwcFgbTcP7QjVJqMJOwJsD3L9Vo3xI9x:ILnGm5viP3zDCwCgsPQOwwpVo3xI9
Static task
static1
Behavioral task
behavioral1
Sample
c372c6cffdd9eaa2b091ecada65eb72c21d39fd00eb1dcb8cfbbbc1830c376c8.exe
Resource
win7-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.adlinesgh.com - Port:
587 - Username:
[email protected] - Password:
Ghana@1235 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.adlinesgh.com - Port:
587 - Username:
[email protected] - Password:
Ghana@1235
Targets
-
-
Target
c372c6cffdd9eaa2b091ecada65eb72c21d39fd00eb1dcb8cfbbbc1830c376c8
-
Size
684KB
-
MD5
c26c8968925b61681fdee20b912d6a6d
-
SHA1
a51d6ad78b12a3f7285fd0523cc452f4796d03b5
-
SHA256
c372c6cffdd9eaa2b091ecada65eb72c21d39fd00eb1dcb8cfbbbc1830c376c8
-
SHA512
02ea998d7ff9e191c1c3fe789b7576cff0201aeb472d3c7bb5206fe5a5b6a6515b8cdd848ba71209e7ea9a4968375d5fd3d5be1b17f2ca579f34ccd393c2a3c3
-
SSDEEP
12288:iQaRdnGmeLAfJ53CLxHWKPkazDshHwcFgbTcP7QjVJqMJOwJsD3L9Vo3xI9x:ILnGm5viP3zDCwCgsPQOwwpVo3xI9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-