General
-
Target
DisabRFQ.cmd
-
Size
186KB
-
Sample
241002-avn9yayapr
-
MD5
ebce0a20c122505799e5e1569be59e2e
-
SHA1
fb8b81cfbeadadb1d8e4d8b73ad617e501dd9b23
-
SHA256
efa2b4bc11dad2f4e20dad65bab3cac046a7ae4190576686aee80e8c9dd0f86f
-
SHA512
a58ceffc7912d30132072773f59f24dc92fe28283441b3e0bb53d415f1d01baa3a3db113bdbc4ebc666fa9c8eaf96bfcc1b503b9ac9fc99df0b90b32e432bb48
-
SSDEEP
3072:p/n1G9evqEB5pB20ESaH8cywXWZ2dQFVHiG1aDDrxVWjKdemlgxq5kV/C0xF/K83:l1G9ePESaH8cywXWZ2dQFBiG1aDDrxVk
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.al-subai.com - Port:
587 - Username:
[email protected] - Password:
information12 - Email To:
[email protected]
Targets
-
-
Target
DisabRFQ.cmd
-
Size
186KB
-
MD5
ebce0a20c122505799e5e1569be59e2e
-
SHA1
fb8b81cfbeadadb1d8e4d8b73ad617e501dd9b23
-
SHA256
efa2b4bc11dad2f4e20dad65bab3cac046a7ae4190576686aee80e8c9dd0f86f
-
SHA512
a58ceffc7912d30132072773f59f24dc92fe28283441b3e0bb53d415f1d01baa3a3db113bdbc4ebc666fa9c8eaf96bfcc1b503b9ac9fc99df0b90b32e432bb48
-
SSDEEP
3072:p/n1G9evqEB5pB20ESaH8cywXWZ2dQFVHiG1aDDrxVWjKdemlgxq5kV/C0xF/K83:l1G9ePESaH8cywXWZ2dQFBiG1aDDrxVk
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-