General
-
Target
1d77439d7d79954a16a0b6f8f3bff0e3d5b079c3ff602641a4b6fa24ea2f2da7.zip
-
Size
661KB
-
Sample
240609-lvsg5shf92
-
MD5
b3440f88bef755f9063f6eadf54dbc48
-
SHA1
0846ffda47a30f42dbc2f806fc2bab890077f41c
-
SHA256
1d77439d7d79954a16a0b6f8f3bff0e3d5b079c3ff602641a4b6fa24ea2f2da7
-
SHA512
c890d496c1569ae326e43dbb7e93c9ecda520a66ad84da083abc09294e2472ca55882068f080653a43930d7c62f84d7a1776d3a1945f88645e2841cbe29f6086
-
SSDEEP
12288:utaYIgogJx1jSbAqycgWRXp5xw0hlqus7cneT3oQLOVaOx3dom0bRMqJ:OabgogJxc0qycJRXp5xlhsc1sJ
Static task
static1
Behavioral task
behavioral1
Sample
AWB#5305323204643.exe
Resource
win7-20240221-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.voivocars.com - Port:
587 - Username:
[email protected] - Password:
Gempaid - Email To:
[email protected]
Targets
-
-
Target
AWB#5305323204643.exe
-
Size
785KB
-
MD5
34c09836453951d6b12dc61c69c2e23a
-
SHA1
8c75f57b9929fcc4dc3005d092268a0589fcdab9
-
SHA256
d5a64294b4a47e260bf84a9819474e15fa6ffe9ee515a5db68967fd2837f9f1d
-
SHA512
9290671794704bac01454571468ff365004521ab4fa14bb32d9f12de868e23987d2ad7ba33ae3c6cddb295a453361209a2c4ec1fc85efaf916e2f32575b37387
-
SSDEEP
24576:avRC3c6GxY0hbtGs1KpG836sqg+aIymzK7PgtY+VTYC:a5NY0hZGs1K+sqgN/EKbgtY+VTY
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-