General
-
Target
a815b9dc9f3752c4bde423ed58b020cc7ef37a14fc18b71de803cb2ac3cde584
-
Size
706KB
-
Sample
240604-b1kpdahe36
-
MD5
7d4864ff5549a237a00bf9f48175960c
-
SHA1
2efc4551b6b4e849b1bb5d8342a7777c42bf1641
-
SHA256
a815b9dc9f3752c4bde423ed58b020cc7ef37a14fc18b71de803cb2ac3cde584
-
SHA512
556cb44837db58cb9218c5ca983b9fa9eec21f67777422a178183d338cf0c26df031867b932713ba562ace137edb79a230c1e948542edc6b1acefc65125f5806
-
SSDEEP
12288:Eo9Kt/rFfatK/yQJGUEybrmnR9JHVaJX1hMoNNdQDh3a1z9GDALTj6Bi+1hcAkCc:p9KN5itYRIL7LSvhMwNdQKZR0x1CO
Static task
static1
Behavioral task
behavioral1
Sample
a815b9dc9f3752c4bde423ed58b020cc7ef37a14fc18b71de803cb2ac3cde584.exe
Resource
win7-20240215-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.klptruck.hu - Port:
21 - Username:
[email protected] - Password:
kCu}[Z7z+)S[
Extracted
Protocol: ftp- Host:
ftp.klptruck.hu - Port:
21 - Username:
[email protected] - Password:
kCu}[Z7z+)S[
Targets
-
-
Target
a815b9dc9f3752c4bde423ed58b020cc7ef37a14fc18b71de803cb2ac3cde584
-
Size
706KB
-
MD5
7d4864ff5549a237a00bf9f48175960c
-
SHA1
2efc4551b6b4e849b1bb5d8342a7777c42bf1641
-
SHA256
a815b9dc9f3752c4bde423ed58b020cc7ef37a14fc18b71de803cb2ac3cde584
-
SHA512
556cb44837db58cb9218c5ca983b9fa9eec21f67777422a178183d338cf0c26df031867b932713ba562ace137edb79a230c1e948542edc6b1acefc65125f5806
-
SSDEEP
12288:Eo9Kt/rFfatK/yQJGUEybrmnR9JHVaJX1hMoNNdQDh3a1z9GDALTj6Bi+1hcAkCc:p9KN5itYRIL7LSvhMwNdQKZR0x1CO
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-