General
-
Target
4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff
-
Size
689KB
-
Sample
240612-cgybssydje
-
MD5
217fd03c398f156a343e2791206505ad
-
SHA1
cc819116f40772ec1ffba29c452063c04d552eaf
-
SHA256
4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff
-
SHA512
fcb633fa506a5212e37fb138b216585af1ad7b25c18685a97ca1b7b9ed4794da7291053da5eefac2a1dac17242feb3f20e6d976db7f7cd7f7794522a4a800af1
-
SSDEEP
12288:H4rx504bFC8VPhPXJfgEbUUz7oBIxtNwwWyPtPew42OZca7L+xN:Yrw4bPPPfg2UYNwwW+PqDZcALg
Static task
static1
Behavioral task
behavioral1
Sample
4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
w#chNV#1 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
w#chNV#1
Targets
-
-
Target
4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff
-
Size
689KB
-
MD5
217fd03c398f156a343e2791206505ad
-
SHA1
cc819116f40772ec1ffba29c452063c04d552eaf
-
SHA256
4b13fee13544dc3148752435f83f9861e3d14a117ad645d015e336da00ffceff
-
SHA512
fcb633fa506a5212e37fb138b216585af1ad7b25c18685a97ca1b7b9ed4794da7291053da5eefac2a1dac17242feb3f20e6d976db7f7cd7f7794522a4a800af1
-
SSDEEP
12288:H4rx504bFC8VPhPXJfgEbUUz7oBIxtNwwWyPtPew42OZca7L+xN:Yrw4bPPPfg2UYNwwW+PqDZcALg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-