General
-
Target
2e41ea890acc93ea21b2e353f795cee51609631260e3311c96c4a6f44fcf5332.exe
-
Size
721KB
-
Sample
240323-clwnrseg7z
-
MD5
3aceb84dd8d5f903b26fbb9e3530513d
-
SHA1
107bfbe77e9db7789673e0e321f2561116111c62
-
SHA256
2e41ea890acc93ea21b2e353f795cee51609631260e3311c96c4a6f44fcf5332
-
SHA512
69ccea9b468c55ca3ce0a2b9fa67ecc9dbaec5e938363137c54235909522d5a8ef301f332aa60f7c7ba9b35cd99ab5a8bf5176ac7cbebf69b22941374c089fe8
-
SSDEEP
12288:co5vFoWdV8r4MXm33OdFfCxpY5NCQvjlnUhhaTgiMz:cojdVVMWHwfCg7CQblnUhh8Mz
Static task
static1
Behavioral task
behavioral1
Sample
2e41ea890acc93ea21b2e353f795cee51609631260e3311c96c4a6f44fcf5332.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2e41ea890acc93ea21b2e353f795cee51609631260e3311c96c4a6f44fcf5332.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
yV0cOwpBjCCXLvN - Email To:
[email protected]
Targets
-
-
Target
2e41ea890acc93ea21b2e353f795cee51609631260e3311c96c4a6f44fcf5332.exe
-
Size
721KB
-
MD5
3aceb84dd8d5f903b26fbb9e3530513d
-
SHA1
107bfbe77e9db7789673e0e321f2561116111c62
-
SHA256
2e41ea890acc93ea21b2e353f795cee51609631260e3311c96c4a6f44fcf5332
-
SHA512
69ccea9b468c55ca3ce0a2b9fa67ecc9dbaec5e938363137c54235909522d5a8ef301f332aa60f7c7ba9b35cd99ab5a8bf5176ac7cbebf69b22941374c089fe8
-
SSDEEP
12288:co5vFoWdV8r4MXm33OdFfCxpY5NCQvjlnUhhaTgiMz:cojdVVMWHwfCg7CQblnUhh8Mz
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae
-
SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b
-
SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e
-
SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6
-
SSDEEP
192:OPtkumJX7zB22kGwfy0mtVgkCPOsX1un:/702k5qpdsXQn
Score3/10 -