General
-
Target
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad.exe
-
Size
1.0MB
-
Sample
240806-bmfhhaydkd
-
MD5
1bd159a855549ca23ae267d10eb541bf
-
SHA1
f7c6c06615c1d80c08aea49e18978e03dc50200f
-
SHA256
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad
-
SHA512
ed6ac026699e2ea9c4fcde156a1c6499b45184477e0606cd3c9b10a3c606fc820065d2c3349222123cf14b5cc95dc3ea33d30598d6afba2e4c9cffaf93f87d0e
-
SSDEEP
24576:Dt1c89prwmySNJzfQrgdyjmPvr0GGtYt7kXoBsppTjICxJ:BKoJlNC0yaPvr0GRcoIcq
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.osmahab.com - Port:
587 - Username:
[email protected] - Password:
emailOSMAHAB123456I - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.osmahab.com - Port:
587 - Username:
[email protected] - Password:
emailOSMAHAB123456I
Targets
-
-
Target
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad.exe
-
Size
1.0MB
-
MD5
1bd159a855549ca23ae267d10eb541bf
-
SHA1
f7c6c06615c1d80c08aea49e18978e03dc50200f
-
SHA256
0d38a75eaacd1df541127d09bdfae1fd1ccc166a8f8e5f0c8f9566c1ca7cc3ad
-
SHA512
ed6ac026699e2ea9c4fcde156a1c6499b45184477e0606cd3c9b10a3c606fc820065d2c3349222123cf14b5cc95dc3ea33d30598d6afba2e4c9cffaf93f87d0e
-
SSDEEP
24576:Dt1c89prwmySNJzfQrgdyjmPvr0GGtYt7kXoBsppTjICxJ:BKoJlNC0yaPvr0GRcoIcq
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-