General
-
Target
d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11.img
-
Size
1.2MB
-
Sample
240523-r8gkpaeh84
-
MD5
cdf2d0ec69cda136a182b17c4e272337
-
SHA1
3821755c637e4b1bee6053dbbb8cddf26ab553e3
-
SHA256
d43caa8513d5c833150caaea54a56ebad2306f89cac3266d057d7f47282c1a11
-
SHA512
482ef8aa1120c6ee5e1b5d68a1d2e957a94fbb73c39ed3dcc0f0ceaa4b35a7b2c3d8116cdbd90458240cfa454f4fb7fb07443f8dcf62c3cacceee85d17fec060
-
SSDEEP
192:3jY2yDwVFJs7R6/F53IYG8NJu0aTV/cFaFrmxpCz6cf:1/Jh/FNImyfTV/xrmxpCz6c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.medicalhome.com.pe - Port:
587 - Username:
[email protected] - Password:
MHinfo01 - Email To:
[email protected]
Targets
-
-
Target
SKIIP 83EC125T1 22-0-05-24RQ.vbs
-
Size
5KB
-
MD5
62bc79cdf5d55f891ae6d2a662cb87fc
-
SHA1
2ab352feb12da98eca4c5ec9ce4b349f5731ab50
-
SHA256
d14ef42bd2f3ecb7ff2e7ea8b7fd79b06f5b048c2f181381b5f8b790b7228f3b
-
SHA512
1335d32fa999b5f3729f0b94caf214e09b78c9f3108c05e8fb6fddb828f7d8049a17c2e1b72ca12203ebdda0141d22c326e1986057677fdb9efe6970638c7db2
-
SSDEEP
96:QsLisJvmYz2W6/F5J9eI8L7YMH8NJPW0agOVTLU5VFPB5Gv9rmJ/pCz6cfp:QJs7R6/F53IYG8NJu0aTV/cFaFrmxpCv
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-