General
-
Target
Bank confirmation.tar
-
Size
1.3MB
-
Sample
250121-hrha8a1rdk
-
MD5
18e9c4abe7e1ce186a6cabbb4f95a997
-
SHA1
6f0a0a88f757ae22570ae6d834ab04e7c2b57cb7
-
SHA256
7dff38e2b48d0a764d040536679c17b882e2f16ec8258e378672b0d3ad6ffe26
-
SHA512
2f3f7706d994b70368de2ed9d190ee024f67f5110056648a1973561644b794babb01718391f319f5462b9a92923f6ce445a91cc1b900a03aa07b8d94302ba107
-
SSDEEP
24576:N/5IZpgR2pWI0qJSmlcVNdtf0dqaJ88oK7VoU6RBIAEPXVknnkMrRn8s1q:bopgR2pXNLcV3t0bwCLe3mokMN8l
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
Bank confirmation.exe
-
Size
1.3MB
-
MD5
754ac7a415b8274b13cb2cc4783b5ae1
-
SHA1
c4c5070f6fd6cba876b1a1c1f86e15e6d32dda59
-
SHA256
578cabfe9302c26e7dc8be3fa6de971205bc0886957da1c8b29619d9c1026610
-
SHA512
b8c2be0ec5d12f15bd36d8180862fe093ff1dc7de5ecba2c1ccb01f9b7cbe37c41e68e5f4336be93113a03edc4a2b21eadef4d3ee815ca99a46f6d2fb01d6151
-
SSDEEP
24576:9/5IZpgR2pWI0qJSmlcVNdtf0dqaJ88oK7VoU6RBIAEPXVknnkMrRn8s1q7:LopgR2pXNLcV3t0bwCLe3mokMN8l7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Drops startup file
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-