General
-
Target
4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531
-
Size
1.6MB
-
Sample
240522-cr5tmahb94
-
MD5
17adc464aa58185418caa49dd6b1c93a
-
SHA1
56d94c8c288274bfff6499cee5ad30f23d39acff
-
SHA256
4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531
-
SHA512
b93b8e823e366a576cf9019cb96feee21409ce476b42f6022c426e03b92948f86df3e5937a901fb8bd9d900db44a5d94caad26371f9c6331db1b7d4a66ec23f1
-
SSDEEP
24576:1Wtb3BEWpvYCeq4XBFomOe4vwX+wExjd9SvtpvVQtrV+rBUA/6aXOieGAv:YZBEWSX8mOe44X1ZvtJV2a9xrAv
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
dahlia.hostnownow.com - Port:
587 - Username:
[email protected] - Password:
Foundation+111 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
dahlia.hostnownow.com - Port:
587 - Username:
[email protected] - Password:
Foundation+111
Targets
-
-
Target
4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531
-
Size
1.6MB
-
MD5
17adc464aa58185418caa49dd6b1c93a
-
SHA1
56d94c8c288274bfff6499cee5ad30f23d39acff
-
SHA256
4f62988cd5769211f29a387d2b6cd6a3b300fc563898432768d6e4d3db5cc531
-
SHA512
b93b8e823e366a576cf9019cb96feee21409ce476b42f6022c426e03b92948f86df3e5937a901fb8bd9d900db44a5d94caad26371f9c6331db1b7d4a66ec23f1
-
SSDEEP
24576:1Wtb3BEWpvYCeq4XBFomOe4vwX+wExjd9SvtpvVQtrV+rBUA/6aXOieGAv:YZBEWSX8mOe44X1ZvtJV2a9xrAv
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-