General
-
Target
ac96bb0f3a91ebfb176baecf8f3232ae86d40a9565733432fe21b3a3da7dbb52
-
Size
2.3MB
-
Sample
250505-bvkgesv1ht
-
MD5
b648fa91a28c763d59ffd7d8470b990d
-
SHA1
2a18fe2e85ec465954af05f0afd3dd26639b9630
-
SHA256
ac96bb0f3a91ebfb176baecf8f3232ae86d40a9565733432fe21b3a3da7dbb52
-
SHA512
4c0dba777ce7d369f6c70be70285bd606269f1ab58f627e65060b6e07f779ad3ed70800b11ad57cde13dc995b39b1b9ec27d321a4399ec2f1297cf2058de1a0d
-
SSDEEP
49152:QxI3DJOC5OGq97V5l/2n0yDIwABzptASqecr8KYCKa/aTTr4LTz:YGhXq9x/2nEzAbecIKpKa/I4LX
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-Materials-LBS9782-NB13-Specifications-pdf.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
RFQ-Materials-LBS9782-NB13-Specifications-pdf.exe
Resource
win11-20250502-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.xma0.com - Port:
587 - Username:
[email protected] - Password:
london@1759
Extracted
agenttesla
Protocol: smtp- Host:
mail.xma0.com - Port:
587 - Username:
[email protected] - Password:
london@1759 - Email To:
[email protected]
Extracted
darkcloud
Protocol: ftp- Host:
ftp.mailo.com - Port:
21 - Username:
[email protected] - Password:
london@1759
Targets
-
-
Target
RFQ-Materials-LBS9782-NB13-Specifications-pdf.exe
-
Size
2.7MB
-
MD5
424488e019388f49ef9e7b25730923a3
-
SHA1
edc134717b09b18488e50483d2d7cb45b2253e98
-
SHA256
95075ecbdcd1ff294433ceeb45d7bb3d24e94857620dba98b5f6b08250cff811
-
SHA512
117457609b1cbf06714018e8d47d97c8af533ef94d4fc15fd293a6a02abd203971f890a9b9a82800c2826029bfde84ee9094527b37870a098e3c76fe426947ca
-
SSDEEP
49152:8Vg5tQ7apGIIyWG6Nrx5o3hfsWhANqzS3BOZRsWylxJi69tl/Dl5:Gg56ejc5aa9NCS3BnzJ3lD
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Darkcloud family
-
Drops startup file
-
Executes dropped EXE
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1