General
-
Target
5be914c978e8a858a23d07b9c78e506741349369484762bc424b87a8934ff7df.7z
-
Size
713KB
-
Sample
240609-mmzrxsab66
-
MD5
fb097d61328838c3a21e9859f7b6908a
-
SHA1
b3f9c3ac5429e73377837132cd18f88447bc5738
-
SHA256
5be914c978e8a858a23d07b9c78e506741349369484762bc424b87a8934ff7df
-
SHA512
1da2296313d375598c3a7c878ef27babb48827260b48a8c10c15953e25b5d5bc0f25ecdffa10a98d9fb4cb2ef04f4d468de6ba6b9d05060f315928a21fc9fc79
-
SSDEEP
12288:5zpiZf6+UWweHA8FkEbDmEO35/FrKqZ5dnGN3F8hgriAvSKGiHbZGpEIknyVO6Cp:viZi+WuJiEbSESP+B3F8hloSG9GpEIkV
Static task
static1
Behavioral task
behavioral1
Sample
packinglist and shippment.exe
Resource
win7-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
packinglist and shippment.exe
-
Size
977KB
-
MD5
1165b11c05474471dc47ff054f8e4398
-
SHA1
41977ff5db4bac80d999bb8c5d6eceaee6d3b9ea
-
SHA256
dd566ea9737c75cf44885c842a944952d23abc1fb315867b4f07c3b8f37ce01b
-
SHA512
3dc9dbb18a581630daa00bc59d7aee668881c5464ab7b32b2bd65d9e80376c4e3d5029cce902c9576c05c58dc8c46b2ddf44e8b8add692b6065287c617a3cc6d
-
SSDEEP
24576:1ggC3c6a+JXEbSEnORzgF4hWV5ukNaEIkq1BYyS+TigtY+VT3rMxV:1/YJXEbS9FkV5ukNaEL2uySuigtY+VTc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-