General
-
Target
0ddcb17097f0e1998ca761e91b6e1664d2368a991718b6b9bf7e732e58f7d624N.exe
-
Size
1.3MB
-
Sample
250111-cnkdhsymcv
-
MD5
1e56ec2a51a4915e93e8effb259a8b90
-
SHA1
23f14bdaffdad18e43b2965b7b901805cfc08aca
-
SHA256
0ddcb17097f0e1998ca761e91b6e1664d2368a991718b6b9bf7e732e58f7d624
-
SHA512
6e1e4901a853687bf478ed129f840fc564aa6c38fe322ea147a5049fd80f0d1a0138742b515b0395d8724e2ea268dc49e2f8a53fab5c8b48c9d4c031577a659e
-
SSDEEP
24576:RphXFfIvZNmXcXhdkvWRC/2HnolvfCrKmSUCjvUXT/iF3pxX5FFC:Rphah8Z+Riv9MKvU8vUGNpjF
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
0ddcb17097f0e1998ca761e91b6e1664d2368a991718b6b9bf7e732e58f7d624N.exe
-
Size
1.3MB
-
MD5
1e56ec2a51a4915e93e8effb259a8b90
-
SHA1
23f14bdaffdad18e43b2965b7b901805cfc08aca
-
SHA256
0ddcb17097f0e1998ca761e91b6e1664d2368a991718b6b9bf7e732e58f7d624
-
SHA512
6e1e4901a853687bf478ed129f840fc564aa6c38fe322ea147a5049fd80f0d1a0138742b515b0395d8724e2ea268dc49e2f8a53fab5c8b48c9d4c031577a659e
-
SSDEEP
24576:RphXFfIvZNmXcXhdkvWRC/2HnolvfCrKmSUCjvUXT/iF3pxX5FFC:Rphah8Z+Riv9MKvU8vUGNpjF
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-