General
-
Target
3ca5a99c51b7351cf9a72b2c59ec06cfa5c46d98b4d6a5e87d685132ec7c39e4
-
Size
1.2MB
-
Sample
250118-br8pvayne1
-
MD5
de2499a8f484bf4a4e7d7e788c307b03
-
SHA1
f8ea8b4d1bcad132fed245532bbf3ac78a28293a
-
SHA256
3ca5a99c51b7351cf9a72b2c59ec06cfa5c46d98b4d6a5e87d685132ec7c39e4
-
SHA512
8ce887599f8b75f6fbaf9b638191a975bb88906bd21aa4cce363f4cb77889c17f19b03e12bdbf98a25e2252d3815fba74744c003644f1128788348781b689d70
-
SSDEEP
24576:NuHQRbbxIv//hq01Ln28kUg3zKimeTjXFYkhx5ygV7iVV3cg:7K4my8GWimevphxogkVt
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
Purchase order 5676787.exe
-
Size
1.5MB
-
MD5
9dd242941dd5c10772672a0dd674f2c7
-
SHA1
42aada83c3ee9f51baa04038be352ebbfb0dab76
-
SHA256
1d0ecbee2ea99b45df1322f5852439e0b3413442290f5c9188a798f8350f90b7
-
SHA512
b741cddaa614fc6d526efa2358db8400536912fd34e04de7a3132fd2b6ee3a1690fe5410bc937afa22b7faa5c25fdefe6976f9fe454d2eefb8536eb2737be25b
-
SSDEEP
24576:+oqYwSdvFEO6ABTGcowVq1ABH4f3xICkFtKgloyvZNfd28N3MCXUAncjvW:+67RWAR4/xIrFowLfd28eCJWW
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-