General
-
Target
48f845c33f790a9cf74760a5a8aa6ce48cfcab9eb0053f6b983333e6f2c6e828
-
Size
608KB
-
Sample
240915-h8za3asbmd
-
MD5
f9d3bf5abef1a65da94302943e55489d
-
SHA1
e5d51928351174acb17b98aa6d6957fa1ed61cc7
-
SHA256
48f845c33f790a9cf74760a5a8aa6ce48cfcab9eb0053f6b983333e6f2c6e828
-
SHA512
9f24ce077aa59de9977bd5a72a145d6c0cfd2d8dcbe1053a5a7243844f91f74b3b189aa4d8c30cbbe5375abfe6ba15e9ebd70960d9b4e54304d1e5de97bdb7d7
-
SSDEEP
12288:JnDMGuXoIy5jC37kvIgp1SS6ffTWwchhhoFVxmggPQnwf2Oy3:a2IypqcIEtMfqwbFsPQnwf2Oy3
Behavioral task
behavioral1
Sample
INVOICE09876545J.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
INVOICE09876545J.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
[email protected] - Password:
cMhKDQUk1{;%
Targets
-
-
Target
INVOICE09876545J.bat
-
Size
633KB
-
MD5
38febc8fe240353eab810eeedc379961
-
SHA1
4145de7c3f531f10c786d09302923f0572244d53
-
SHA256
eb59c6e8a42daf2f27f8112f109e563128e0d2b3a4cd9a074832e68e75cb9870
-
SHA512
a276a728bf50085a0aa2902ef4dbc97a88d6b4428a2ee1a75474382b451ebe8bec3bc126845d470540df06f72004c9ec3a6481f3ecfaa6446719910f3b9490b5
-
SSDEEP
12288:tz7hU5I5yuNHIgzSFKxWltRohBfSTso93UCv1hNhcFVxO4ePQnAf2Oy15:tf+iN57Gtene3lMFYPQnAf2OyH
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-