General
-
Target
aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5
-
Size
678KB
-
Sample
230203-t5ja8abf3v
-
MD5
607d8ff147f8f5cfc825c159319684ef
-
SHA1
827b8de4f2db33ac5d9a43445d71d1c003827ae4
-
SHA256
aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5
-
SHA512
54b224478acacb7249ae8bfb822341f366bebd93a255f8c63c0c2d169a81276fb2a4305c9e1c3918311112dfd960acd66e848afbabe8b17c7526ad3bd180c3f5
-
SSDEEP
12288:8cMkhWAEQ0CQncg1mbwhvsZEatpSe220XBUohsNbL7YJw:CzQ0CQcdOtkkeN0XBUoheV
Static task
static1
Behavioral task
behavioral1
Sample
aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5.exe
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.sentientshift.com - Port:
21 - Username:
senti@sentientshift.com - Password:
@sentientshift.com
Targets
-
-
Target
aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5
-
Size
678KB
-
MD5
607d8ff147f8f5cfc825c159319684ef
-
SHA1
827b8de4f2db33ac5d9a43445d71d1c003827ae4
-
SHA256
aa49bac60c112bacd7f6c55e698c573a621ae3187601f739b00392bd137e1ba5
-
SHA512
54b224478acacb7249ae8bfb822341f366bebd93a255f8c63c0c2d169a81276fb2a4305c9e1c3918311112dfd960acd66e848afbabe8b17c7526ad3bd180c3f5
-
SSDEEP
12288:8cMkhWAEQ0CQncg1mbwhvsZEatpSe220XBUohsNbL7YJw:CzQ0CQcdOtkkeN0XBUoheV
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-