General
-
Target
Payment Slip Scan.zip.001
-
Size
613KB
-
Sample
240625-nnbxxszfrq
-
MD5
ca6769b031eda354d8799d61405bf8ba
-
SHA1
cffd0ea6246b62da50c160734350117adcc5be55
-
SHA256
2c24902d806183712cd689df503506e5209d1a91afd351e1546a7a3158d75caa
-
SHA512
20528b287316ae1f5593f7022b4e8ebe1c0d33d50c9ce83c06f3cdcd8a0d93a628a402265cf3c820abe7728b63d808c2ac546947f751e075032c2128d63d63a5
-
SSDEEP
12288:eJfBwFluMQd65LABwIKpbcoKMc421L8skN/vn+b8GqP3v4Od2:Ofpd65L6oKMct1pOH+4f4Y2
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip Scan.exe
Resource
win7-20240611-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.voivocars.com - Port:
587 - Username:
[email protected] - Password:
Gempaid - Email To:
[email protected]
Targets
-
-
Target
Payment Slip Scan.exe
-
Size
662KB
-
MD5
d9fe0cc1c140fdc9f6baa415296141b4
-
SHA1
73721cb6750b875fe86c96f3fccfe7e18a2f51ae
-
SHA256
70342c79a11ed5e15d3a8b82db46eeef5c9917d3c1478ddd369a57fb02fcc6ae
-
SHA512
9112470be6610837adde3bf3637bf1169435bbd5b0d89f41e04e6690f912b9f6cea2de2e4ce50d97dedcf6c95758ba1e8a94f6a62c50e7ebd9773bf1d951e0ce
-
SSDEEP
12288:3vRwtNQMQL65hA4NppTwgMEEu2Z7L8skr/vb+hflaYGod:/5L65hAiE7pmHSyYGW
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-