General
-
Target
9c5220ea47fe0fd51eeb0da17c69c465c5cf411105fdf661ab56b6239c9853fe
-
Size
740KB
-
Sample
250122-c8fwtstqct
-
MD5
30f94b7d06aa31fce3f878a4c4c0584a
-
SHA1
aff6f2239621be99101c27b96a3427319522f2b3
-
SHA256
9c5220ea47fe0fd51eeb0da17c69c465c5cf411105fdf661ab56b6239c9853fe
-
SHA512
b0c0ee8b4572beab663bcae0369b01afd7e5f95a86da1393a7c78a679631a6db0ab63214abc42617ebcb7ce5a686e27efb5285deef18666495d59a662817288a
-
SSDEEP
12288:mfG4O5q7wxnFFPB4szk2T9puLKFzfQ4OELa6pmsvda/9PF1XC7Cs/CDYS0p07EkY:t48xnFFPBxX0Leu6phOFS/CES0pkYP
Static task
static1
Behavioral task
behavioral1
Sample
HBL NO- NGT25010873/HBL NO NGT25010873.scr
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
HBL NO- NGT25010873/HBL NO NGT25010873.scr
Resource
win10v2004-20241007-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://s4.serv00.com - Port:
21 - Username:
f2241_evica - Password:
Doll280@@
Extracted
Protocol: ftp- Host:
s4.serv00.com - Port:
21 - Username:
f2241_evica - Password:
Doll280@@
Targets
-
-
Target
HBL NO- NGT25010873/HBL NO NGT25010873.scr
-
Size
1.7MB
-
MD5
b80331ab84fb85129717d5d846097bdb
-
SHA1
cee98d946b4dd163997031702718aaeace697b6c
-
SHA256
45717708e1d13150abc0d57e9c014443649b4e50243dc3409dda599cfcb2f4e0
-
SHA512
5e8f3173a92dae236f5c9529aca481c3875cb227c859d686308ab1edac416cd5a55acc4bee83fa293dfd71937850dea000dbdc6c0605de0dc48a1eaea855bc28
-
SSDEEP
24576:ASexfdr+bRvWH/i+vKzm3EEExkXq7TYA2rQtlHPI47s:dLReHaol0QQB
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1