General
-
Target
hesaphareketi_27_03_2025_20kb pdf________________________________________________________________________pdf__.exe
-
Size
832KB
-
Sample
250402-jpk5rswnv2
-
MD5
45e5f07cd39f551a19a56c06d6120a53
-
SHA1
8bbc6b9b1a3eba913f567e98bd1af1a1d992be45
-
SHA256
9dd4728855aa9fb7d5294a2e71310a37b65045e2c9f2d20417fbc18809b2bdc4
-
SHA512
7e10ed3b420f13c90809c514d671cb5c0137af2fb676e46789b59c491fd31a5ef79b49062c74ed0b034152e2fbb3b437e28458cef4ca10a5738ea378e14590bc
-
SSDEEP
12288:HxqDm9TWRLoiNiBSkR1tIaFGDHaYdvfc3ZnP24xP/uBeYMZ0mSQULa:J9TjigSWhFGOYJfc3ZPFnYfMNc
Static task
static1
Malware Config
Extracted
Protocol: ftp- Host:
ftp.dorasanat.com.tr - Port:
21 - Username:
[email protected] - Password:
snakeftp12345@
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.dorasanat.com.tr - Port:
21 - Username:
[email protected] - Password:
snakeftp12345@
Targets
-
-
Target
hesaphareketi_27_03_2025_20kb pdf________________________________________________________________________pdf__.exe
-
Size
832KB
-
MD5
45e5f07cd39f551a19a56c06d6120a53
-
SHA1
8bbc6b9b1a3eba913f567e98bd1af1a1d992be45
-
SHA256
9dd4728855aa9fb7d5294a2e71310a37b65045e2c9f2d20417fbc18809b2bdc4
-
SHA512
7e10ed3b420f13c90809c514d671cb5c0137af2fb676e46789b59c491fd31a5ef79b49062c74ed0b034152e2fbb3b437e28458cef4ca10a5738ea378e14590bc
-
SSDEEP
12288:HxqDm9TWRLoiNiBSkR1tIaFGDHaYdvfc3ZnP24xP/uBeYMZ0mSQULa:J9TjigSWhFGOYJfc3ZPFnYfMNc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-