General
-
Target
orig.eml.exe
-
Size
859KB
-
Sample
241016-hamvda1gqp
-
MD5
33f2fb6f726399e47707e7ac57203448
-
SHA1
3192b72e25276bd9768d4890af8cfb19db2b8da7
-
SHA256
d16537ba8163e5d5c809fed22be949caaaf2fee5e1d5f5dcd9f9a36e4a3709b0
-
SHA512
67247f41dbc07e8dad555c992a98c6197671ba4730588c32ffb1e3ba230ad1c467fa28f355872cf5f76280b730985a1fa98d83bb1c585dd6a214e606f0d973b2
-
SSDEEP
24576:1AmVuKha1h4qNvjgWkGkky93X5WtswUlAniehy:6894NvJkZt93JSUynxhy
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
nhpe dfhf irbv bqxe
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
nhpe dfhf irbv bqxe - Email To:
[email protected]
Targets
-
-
Target
orig.eml.exe
-
Size
859KB
-
MD5
33f2fb6f726399e47707e7ac57203448
-
SHA1
3192b72e25276bd9768d4890af8cfb19db2b8da7
-
SHA256
d16537ba8163e5d5c809fed22be949caaaf2fee5e1d5f5dcd9f9a36e4a3709b0
-
SHA512
67247f41dbc07e8dad555c992a98c6197671ba4730588c32ffb1e3ba230ad1c467fa28f355872cf5f76280b730985a1fa98d83bb1c585dd6a214e606f0d973b2
-
SSDEEP
24576:1AmVuKha1h4qNvjgWkGkky93X5WtswUlAniehy:6894NvJkZt93JSUynxhy
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Blocklisted process makes network request
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-