General
-
Target
48573bdc9009df430bfef2f040b5a23a63f4d7c6d8fdcc46e1d94e45a71efa45.img
-
Size
1.3MB
-
Sample
240323-cnq63acb67
-
MD5
d36dc74549ca9a70b8f4731cfa9cd4ce
-
SHA1
0e2e606a40862d0ff956978081a0388fea340e18
-
SHA256
48573bdc9009df430bfef2f040b5a23a63f4d7c6d8fdcc46e1d94e45a71efa45
-
SHA512
c012b882750013578534a38f3d2be5ab95c063b33e9f45e6337ec810c9d67002191b8615e47e0ad5a48da5e5f1c49cc006e9f8af1a255b5608a2d114a9cda725
-
SSDEEP
12288:ghUQmD3ceDqZWJPgCls1bINQhysTF82jb+OSX4S4AGrsEqleoGoOX:ghUD3cZWJ4DbcQrTFDa+rsLko
Static task
static1
Behavioral task
behavioral1
Sample
Letter-Receipt.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
Letter-Receipt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Brk/Fugios/Vrdiforskydninger182.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Brk/Fugios/Vrdiforskydninger182.ps1
Resource
win10v2004-20231215-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7095947285:AAH0OAWsNNNRaRk-0tgESWW6mHr4jwUMS9o/
Targets
-
-
Target
Letter-Receipt.exe
-
Size
800KB
-
MD5
c0644a075912eda8c219f81fc25d80a2
-
SHA1
a475519e2cade20a5d5614ab5fc66c637a1f7996
-
SHA256
b984e4e98a5906f2e4aa6eece57527d0410bbf7faa5d01c33fc280a6f87d3546
-
SHA512
06f4ae192a31d43925c62b247ac3a1f4d418b995a7d9635841779def617311b01f516be5753c5cb5b033e2ba19b5e794defe86ad840e1bb0ca77cd2efca9e8df
-
SSDEEP
12288:ghUQmD3ceDqZWJPgCls1bINQhysTF82jb+OSX4S4AGrsEqleoGoOX:ghUD3cZWJ4DbcQrTFDa+rsLko
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Brk/Fugios/Vrdiforskydninger182.Ten
-
Size
56KB
-
MD5
5f0458117d15429d0a8cb5544cb084d5
-
SHA1
fce6bebe095f0cf2698d0564506a91b57f6ec99d
-
SHA256
c76d95cb1b49ebefb7510949fd5ee28cae43ddd3ba5ac813ba5e7c37034e5e84
-
SHA512
17df9360603bdcc81a108e4be3710f7fe92cee99c89d70e14694a19d418505b79723d21543c3a47113347021c100832acb17edd0a90d65b207ffc0ad24638246
-
SSDEEP
1536:8g68dHlKhcHMxCeFd6CNQxEVD0ZnFaChFe:B68Ohcsxfd6Wr4bo
Score8/10-
Modifies Installed Components in the registry
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-