General
-
Target
Cheque.rar
-
Size
90KB
-
Sample
240724-hzqbssxbkc
-
MD5
7ccc77702ec0ce57fbf91d2d7b68001c
-
SHA1
1471b5b7244a5827428e69a3ab5135c956890638
-
SHA256
5dff7f29e61b2cd2829722c4e056896a3ff303f3f36bd30950f5636a88b5c814
-
SHA512
ea47516d2e432ee5f03f51670c723ccda46f4119efa1d96c9374a1cd9d501b8efdfa8b74b084dbb658e1a99e9180bbccd18e9e08d15836471ba446f88da76b28
-
SSDEEP
1536:ObI5ui/yQvAgmCYtGwrawiyRmYc/2tM0bvgybDLcZYcvS/MKfN6:ObI5zIgmXIwmwvI4/ON5IN6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
YyUy8Vfh3cbJ - Email To:
[email protected]
Targets
-
-
Target
Cheque.js
-
Size
479KB
-
MD5
fe63b3bdffe370e6a4d7d3020486ea4b
-
SHA1
457105dc5f103540e5f53963552303ba6148205e
-
SHA256
a4c2ccd58d2c05289b88acdfd296e01a110ca28ef347d9752e9a5239b385bb29
-
SHA512
7d43c8d0f9c218feebebfeb90baa8477792347b29bc46e78030e40f7fd2f8dc8847cf0259852d67621eeb89356017e2ae80fb4081f30b0f89cb32f776471a65c
-
SSDEEP
12288:4juNGDcp8kQrSKUjlhkEgV/54KG9dvbcYImaKu82ZYHs5dMM8AQ11WGrp0sa:rGDcpIEjW
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-