General
-
Target
d655f6cc8549b757a52c8814dcdf84f248e66956d933b55cdb0fa891593ec3da.zip
-
Size
654KB
-
Sample
240524-qaj3gsee73
-
MD5
6585e1cf69f5e01fb4f35d0e770ce283
-
SHA1
4b08bb7bfab72c71d701625fa451d39d20fb3d49
-
SHA256
d655f6cc8549b757a52c8814dcdf84f248e66956d933b55cdb0fa891593ec3da
-
SHA512
503ff5484ba5d89543c3a7d4ca641afa68c3003d21608ae57b6054ccf6607ab88c25216e54a6f950bf965eebb30c91409b7102431d5b0f26849b2abccc6de162
-
SSDEEP
12288:FzWWITuvkHBM7GNXxm70e++DatYk8nlWim5gKNBcHCPLICoPe8OMtu:F6WeKU4Gwc+A+8OK3ciTHee8OMtu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.springandsummer.lk - Port:
587 - Username:
[email protected] - Password:
anu##323 - Email To:
[email protected]
Targets
-
-
Target
FW CMA SHZ Freight invoice CHN1080769.exe
-
Size
683KB
-
MD5
3288dbaae811a799ea563988c0d78315
-
SHA1
48802f823b253a45d829b15bd0802db54ce35993
-
SHA256
e0e366834de34a6e93035842b46662c2b1b05d350c1218953f8faab632ead3ae
-
SHA512
fc6b2c90ad9c9f2b906a6247230d2f71a0cbe764b0e3ea2c67d49477fb4f81580dd96a5ba2e3d11e92b15f8421b48e8afd7bd06e6d5ee009b8babfc1acf9cc80
-
SSDEEP
12288:3I23I9uvcHdMFGNX/m7EA++tat0kanlWimxg8NBcHYPLICoPw896GpQkR:YYyK+wGGs+sY8283c4THew8EG9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-