General
-
Target
FW CMA SHZ Freight invoice CHN1080769.exe
-
Size
683KB
-
Sample
240522-l9sfpabe45
-
MD5
3288dbaae811a799ea563988c0d78315
-
SHA1
48802f823b253a45d829b15bd0802db54ce35993
-
SHA256
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
-
SHA512
fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80
-
SSDEEP
12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9
Static task
static1
Behavioral task
behavioral1
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
FW CMA SHZ Freight invoice CHN1080769.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Targets
-
-
Target
FW CMA SHZ Freight invoice CHN1080769.exe
-
Size
683KB
-
MD5
3288dbaae811a799ea563988c0d78315
-
SHA1
48802f823b253a45d829b15bd0802db54ce35993
-
SHA256
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
-
SHA512
fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80
-
SSDEEP
12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-