General
-
Target
63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe
-
Size
844KB
-
Sample
240523-rgwwasdg4t
-
MD5
d56e4cf40342c261abc7f621c30908d3
-
SHA1
09f99d47b38931ad4f964e98ef106c218e07ca12
-
SHA256
63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1
-
SHA512
201b0eb2546e0a3e7bb9f503c85c9ba1c24fcfd9de2a62972d3b9f45ee59c5f4d45585e319efe6baa54d664d39ddbf9d4fd51de0d6c2131d3f5b7847f48c34f2
-
SSDEEP
24576:vw4bjw4bolDAFv956pfL3U603tg+MyKOPNs8UYJzDSBNFxa7:vw4bjw4bgAFv956L3IdRG8UYJzDS0
Static task
static1
Behavioral task
behavioral1
Sample
63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe
Resource
win7-20240221-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.jeepcommerce.rs - Port:
21 - Username:
[email protected] - Password:
Q6]7rLSD*gU2
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.jeepcommerce.rs - Port:
21 - Username:
[email protected] - Password:
Q6]7rLSD*gU2
Targets
-
-
Target
63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe
-
Size
844KB
-
MD5
d56e4cf40342c261abc7f621c30908d3
-
SHA1
09f99d47b38931ad4f964e98ef106c218e07ca12
-
SHA256
63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1
-
SHA512
201b0eb2546e0a3e7bb9f503c85c9ba1c24fcfd9de2a62972d3b9f45ee59c5f4d45585e319efe6baa54d664d39ddbf9d4fd51de0d6c2131d3f5b7847f48c34f2
-
SSDEEP
24576:vw4bjw4bolDAFv956pfL3U603tg+MyKOPNs8UYJzDSBNFxa7:vw4bjw4bgAFv956L3IdRG8UYJzDS0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-