General
-
Target
470559644da70ca1f1c631e01457898ab7eee09a0ffef4eb3f84d6b2afc0bd62
-
Size
641KB
-
Sample
240604-bgx6csfg7x
-
MD5
1f71fde2c0bc1ed02e6226401be5716d
-
SHA1
a7d84f3cb9e8d2163b4b26604ef2e28fcfed16fb
-
SHA256
470559644da70ca1f1c631e01457898ab7eee09a0ffef4eb3f84d6b2afc0bd62
-
SHA512
22a46c3eb8978ff22290d799fe7994973dadafe27ca3bf713a88f7b97f230f2564fc6006aabd36c7c8fae18bd8d8489920a31b30e1da103bddadeda5ea5117e9
-
SSDEEP
12288:gpzkfPDo1FYqpAKAwm8g/oR5Haw7xdsNrQxc1rBVGAcnCO3k:+AnDofLDm81R13dsZ1sQ
Static task
static1
Behavioral task
behavioral1
Sample
ORDER INVOICE.exe
Resource
win7-20240221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.voivocars.com - Port:
587 - Username:
[email protected] - Password:
Gempaid - Email To:
[email protected]
Targets
-
-
Target
ORDER INVOICE.exe
-
Size
702KB
-
MD5
8ed2d8c9c2672b58e4be6fe4ae1cff4d
-
SHA1
0ed9b9d546d8c1d14d9756b5a490bd48221fc7e8
-
SHA256
16fb45f6a5200f9cc9287ca597f26feff08ad9ea2987fd49a5703f985963ff59
-
SHA512
b130c9035305d0a1c82d9a4e36c36130a9136270c22abf7bb8b225e4321ba3905c0acd8b7a90a3b2f3e5a5fe458f85bb33af071464927323b400156eba690b23
-
SSDEEP
12288:qzy60t/rFfaWYqWVJzzxo/fZ1YAK2OIByOGUQxcZrBVGQi7T+70U:c70N5iWUZo3Z1ZeInGcZ3i7Ti
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-