General
-
Target
Oustanding Invoices.zip
-
Size
653KB
-
Sample
241016-mp763syhrp
-
MD5
6d24acf8e0e8ffff74a21ff09c818e06
-
SHA1
36237918c5c678282020d3eca5e647ea66153197
-
SHA256
ee1b7275bcf909be5d30a4eaa7accf81308378989ba39ee2314ed36b9a705ed0
-
SHA512
e2fd8cc39fa479e421dacdb018845e25bd2bd6ef528cfe4f4b11d95204e9ea6fa58e1ac8f7f9d0ab33b9f197ee625f7d87c04b6e8756fae25c0f949d1058120d
-
SSDEEP
12288:m2cjfRzfn0n9nkYetlrAj/zu/HNMClFaQ5b6xKImeEJlJVA0j33X:1cjfF0n9nw7rc/qv+sFaQsxKdtA8H
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
oadc jzrw bmvr klnl
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
oadc jzrw bmvr klnl - Email To:
[email protected]
Targets
-
-
Target
Oustanding Invoices.exe
-
Size
788KB
-
MD5
65061801d64c7154fdcafe07289fdd64
-
SHA1
88f6c3bc401aeddf395a409ece7ae3f44721a06c
-
SHA256
95e8ab1f03e2ab0b9b2591d310a42813726f13d6d2a4301bfd117c1c0c6fe9e1
-
SHA512
58aedadb06f2e0f664022832d43bf34136573db6106d0b620cd6554c1f31948eb89b81074bd932754f0befddab1a6144fac4256e90190228aff5520e81cf841f
-
SSDEEP
12288:DHANG3RciXWNhnABLQ8LbMUeKIoBg1z+W0Cla+ve7bAvANa24jVY:DHxcVjABRYMIYOzp0sjvzE1z
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Blocklisted process makes network request
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-