General
-
Target
19062024_1619_19062024_Package status.zip
-
Size
575KB
-
Sample
240619-tsxcbatbnf
-
MD5
35f321a6d92cfe2b48c968810016d252
-
SHA1
81fc2a72d67af49a212561e91daa1d07cd2a3e09
-
SHA256
7972ebd87bcda12969db2307835bcddbbd53ca5a287331906000d6f5bb7beebd
-
SHA512
728ccf3ec09f0a739f60c0b81eccad89728bf93cca4fda1905ae39ac490148e41141bfd830f98184dacaac8b52acd7092cc373c516c3cafc489e13023a6d8e88
-
SSDEEP
12288:+6g0eth6/ig3fwGaWCOs7BKvLc2Leko5m3nnplhbOQ2X4br5lDf8IGvyT:+6Ith6/ig3VaWpvLxOm3nnplvqmD1Gvm
Static task
static1
Behavioral task
behavioral1
Sample
Package status.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Package status.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
vjru ncjq zilj zxwk
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
vjru ncjq zilj zxwk - Email To:
[email protected]
Targets
-
-
Target
Package status.exe
-
Size
810KB
-
MD5
f7f038db9cf8b30eedadbd0e1bd06475
-
SHA1
183a7e4912252c912340580478a756449d420c18
-
SHA256
1c4bde8818c2caac1ea5d08697561d52e4f977a31f648ef55fe54f13efe572e1
-
SHA512
43ce6cce5d06b7317b524689610b9154ffb2d7b16a55328321b19eb4baba9fb793f46e6d4e2ca582cfa5c5b7d7627e59cbd1860169efa31f4eadae3155322d1e
-
SSDEEP
12288:NX8AAopS5s7Prs1K9qjmF7UC5xkd56/iS3xwWaoSOs9BOvLcajeUoZe3xn7dhLO3:18N56/iS3Dao55LTue3xn7d3sCDPa7l
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-