General
-
Target
PRODUCTS LIST.pdf.exe
-
Size
620KB
-
Sample
240619-s6cpdssgrg
-
MD5
a9cc3ce556bed1f4f023dfb299b54d32
-
SHA1
61eacf083e3a9fdb55825ecaedcac6596746d3f7
-
SHA256
e6467422567d07f55c891b1c452dfb2c3c3d24ffa243799c91004cedb8a0dd0c
-
SHA512
dd446826fe672b9d162f2f18f08cfcc2ffa0e8586498423e27cbbd00737d5e31b0ecc031ec6cb4d416f1547718c8bc10e615815b4525a25fafb07ead0cf4fd32
-
SSDEEP
12288:+tX62p8VeLrV6/dcfRGwvjTJGGyHwMmgjjhz3vVe0r8N3j7D:uzyKE/dcfgcIzHM+hLvboNT
Static task
static1
Behavioral task
behavioral1
Sample
PRODUCTS LIST.pdf.exe
Resource
win7-20240419-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.trisquarespl.com - Port:
587 - Username:
[email protected] - Password:
^uw)^EY5 - Email To:
[email protected]
Targets
-
-
Target
PRODUCTS LIST.pdf.exe
-
Size
620KB
-
MD5
a9cc3ce556bed1f4f023dfb299b54d32
-
SHA1
61eacf083e3a9fdb55825ecaedcac6596746d3f7
-
SHA256
e6467422567d07f55c891b1c452dfb2c3c3d24ffa243799c91004cedb8a0dd0c
-
SHA512
dd446826fe672b9d162f2f18f08cfcc2ffa0e8586498423e27cbbd00737d5e31b0ecc031ec6cb4d416f1547718c8bc10e615815b4525a25fafb07ead0cf4fd32
-
SSDEEP
12288:+tX62p8VeLrV6/dcfRGwvjTJGGyHwMmgjjhz3vVe0r8N3j7D:uzyKE/dcfgcIzHM+hLvboNT
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-