General
-
Target
document.exe
-
Size
679KB
-
Sample
240603-ltyb1aae61
-
MD5
bb277f03c2e761e03643369ef4d9f1da
-
SHA1
8f44aa9566f9da9c7086d6da8f080c7a7de52050
-
SHA256
8054c765c0425811e3632409c6bbd9149fde1de08593796957ca55ead7e9e683
-
SHA512
e5d754214062f9f7767116d9aaa23abf70094a113cd682d257c145ca7e0825d344259149087df4dfee14ead93e61b476c2135522a859d8720d625a5693846cf0
-
SSDEEP
12288:m67FxhThagHCN1x2W6BU8KbYJ6BrBpz86Q5NxdDHEYMxVhmaAkgBzJzmh:pDhThagq1/60bYG1pz8LN+hmacBNzmh
Static task
static1
Behavioral task
behavioral1
Sample
document.exe
Resource
win7-20240221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
phoenixblowers.com - Port:
587 - Username:
[email protected] - Password:
Officeback@2022# - Email To:
[email protected]
Targets
-
-
Target
document.exe
-
Size
679KB
-
MD5
bb277f03c2e761e03643369ef4d9f1da
-
SHA1
8f44aa9566f9da9c7086d6da8f080c7a7de52050
-
SHA256
8054c765c0425811e3632409c6bbd9149fde1de08593796957ca55ead7e9e683
-
SHA512
e5d754214062f9f7767116d9aaa23abf70094a113cd682d257c145ca7e0825d344259149087df4dfee14ead93e61b476c2135522a859d8720d625a5693846cf0
-
SSDEEP
12288:m67FxhThagHCN1x2W6BU8KbYJ6BrBpz86Q5NxdDHEYMxVhmaAkgBzJzmh:pDhThagq1/60bYG1pz8LN+hmacBNzmh
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-