General
-
Target
434cac1c8f9dfcc8e719c15a4cbe3462ab6066931f3b4598c79428d2a3e079bb.exe
-
Size
566KB
-
Sample
240228-t4jwcsge4t
-
MD5
b43dfe0d4445035a96b536e3fc49320e
-
SHA1
53fb6e459753548d52ec113682d88c63bc00e205
-
SHA256
434cac1c8f9dfcc8e719c15a4cbe3462ab6066931f3b4598c79428d2a3e079bb
-
SHA512
91dd1ff23a973c8b42f1c5ba98146702fa5aa353275b1d7b8fa70aa2ec20a4ca0ea4bda3616db111e889901bc49ba756078e44decfd2c06c35873b02e65772ff
-
SSDEEP
12288:IGzEt2rFx8xbm5bLSX/NyBnyxxh7OeLpcxL:IGzX8xbibGXVyBnEfpcxL
Malware Config
Extracted
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
nW5AoStmqtxtXpA
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
nW5AoStmqtxtXpA - Email To:
[email protected]
Targets
-
-
Target
434cac1c8f9dfcc8e719c15a4cbe3462ab6066931f3b4598c79428d2a3e079bb.exe
-
Size
566KB
-
MD5
b43dfe0d4445035a96b536e3fc49320e
-
SHA1
53fb6e459753548d52ec113682d88c63bc00e205
-
SHA256
434cac1c8f9dfcc8e719c15a4cbe3462ab6066931f3b4598c79428d2a3e079bb
-
SHA512
91dd1ff23a973c8b42f1c5ba98146702fa5aa353275b1d7b8fa70aa2ec20a4ca0ea4bda3616db111e889901bc49ba756078e44decfd2c06c35873b02e65772ff
-
SSDEEP
12288:IGzEt2rFx8xbm5bLSX/NyBnyxxh7OeLpcxL:IGzX8xbibGXVyBnEfpcxL
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
4add245d4ba34b04f213409bfe504c07
-
SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
-
SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
-
SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d
-
SSDEEP
192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
Score3/10 -