General
-
Target
1d6a60d84172996ec0c6e86d63936858c1250ba45917e6036289de0395e5dfc6
-
Size
1.2MB
-
Sample
240612-bnl2nsxdra
-
MD5
c1aa587e5098d163df3ebf7df8aef903
-
SHA1
79b890440cd1393faa497f0f633f87e19fde4375
-
SHA256
1d6a60d84172996ec0c6e86d63936858c1250ba45917e6036289de0395e5dfc6
-
SHA512
c6eb1d8019ad7b09d59a248c7a3e752e609457edacb3e73b4c80ba7156f47c7d69449fd14d0a042c385e10986defa04d0e571311f4faa65ba10b0c5d037e8d5b
-
SSDEEP
12288:dxuis19r2PFfAyiD2+YLdqOICghxPJd/9p/wXyEn/EKDEm:dxjs1d2VATy+sdqO4djIXyMD
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-7448987655788986757937.exe
Resource
win7-20231129-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cphost09.qhoster.net - Port:
587 - Username:
[email protected] - Password:
Emotion!22 - Email To:
[email protected]
Targets
-
-
Target
RFQ-7448987655788986757937.exe
-
Size
2.1MB
-
MD5
c9bfc30fc5fd70bd5d5b6e6997978870
-
SHA1
6ca99e9f5743257cf45d2d2e31612eabb012806c
-
SHA256
9bef0bc36f9dd413a45a2b2b90edfe1acce5645bb97e556cfe1b1c1fbaa22933
-
SHA512
ee5c1e3c99d48dee0b35943fc8d3ef35a950a5fcbf41c9086c1341c1e579418be1a4bf10eaeb9db1aa9da0683e74ae4b88f04443544c28ab0bab1fef57247cf6
-
SSDEEP
12288:gBRr2PXFAyiDAQY1dqEICg9xP9dp9p3wXy2n/YK1Eg3:y21ATEQwdqEWdRgXyo1F
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-