General
-
Target
7ef6305262d67fa4e9550987d7b4f5ab5ca76b8833ef35c26f325b691d091837
-
Size
623KB
-
Sample
240913-xth3vstbrp
-
MD5
12fe7307ba68ffcc89c0993d891ec2e5
-
SHA1
554a39bd550ba700be25c3f4464121af60448d75
-
SHA256
7ef6305262d67fa4e9550987d7b4f5ab5ca76b8833ef35c26f325b691d091837
-
SHA512
bd17480138d25ff356454b46add37bb6561575b1c4fc95cff53c467a035a48995dc4d8a2d8af0d12f8fc9d0ce469764ce7befe06bfb76503e0740a7585a50429
-
SSDEEP
12288:iw0K1ZYyVUccVxoCnt2AnpcSts5r7qriYnPn5dax2EwtAwm3oW8ItyC8yKfEd:tH1/VTDCt2ApcStshqriwPnXax2EKgoG
Static task
static1
Behavioral task
behavioral1
Sample
FSCDL2407009-Debit Note.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FSCDL2407009-Debit Note.scr
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
BIGNAIRA2024 - Email To:
[email protected]
Targets
-
-
Target
FSCDL2407009-Debit Note.scr
-
Size
669KB
-
MD5
9f1263691f61af5eb7a7b8ad52134be2
-
SHA1
2fae8614a8c48b09140ad431d20c89ec0e6c70fa
-
SHA256
1736cd52fdc1deacedeac1de86d461ceb01c476e307520762b74b67ca8fa4b4b
-
SHA512
4b5de03719f4fcd7bc2cb94879589b605c8f95cb397bf4293c781ffdcb4e1b42953bea8da2474f73a2d4de162fcc4c11d9b99a15c9acb0ac233820bf9039594b
-
SSDEEP
12288:1z7kvDoQE2wD/Cv3BZCU30HapCU0q3ly+t/DlVUjaKPTUw79ylQ/ePooitapDcaJ:1zoXwDgZ/096v3UFPDw3goitapDcG
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-