General
-
Target
28f95feb6ffa4302919d61f2599cb73f1853ad3479116f9460db641a5165ba0d.exe
-
Size
602KB
-
Sample
240324-chf4xaah2v
-
MD5
4c7a142391926be5af99375af9f316ff
-
SHA1
20a6c895bd51ea1e0bdfcbb837fb92f484609e71
-
SHA256
28f95feb6ffa4302919d61f2599cb73f1853ad3479116f9460db641a5165ba0d
-
SHA512
61adb244bb91b0092183a23219ad5e6aad65adc42df9018d6f888538fa79704b16ad2ced9b11f7d10fa33a3512c956c9903de36f606f3ba70dd146e0bbfa65e0
-
SSDEEP
12288:mhFOB5zdpq8vHQDORZZXQZiOSXS2XLTbWr7Fx8bg4hbTtR/:mhFKtdpq8vQiFXQfp+Wr7cXFTtJ
Static task
static1
Behavioral task
behavioral1
Sample
28f95feb6ffa4302919d61f2599cb73f1853ad3479116f9460db641a5165ba0d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
28f95feb6ffa4302919d61f2599cb73f1853ad3479116f9460db641a5165ba0d.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.fredy.ee - Port:
21 - Username:
[email protected] - Password:
playingboyz231
Targets
-
-
Target
28f95feb6ffa4302919d61f2599cb73f1853ad3479116f9460db641a5165ba0d.exe
-
Size
602KB
-
MD5
4c7a142391926be5af99375af9f316ff
-
SHA1
20a6c895bd51ea1e0bdfcbb837fb92f484609e71
-
SHA256
28f95feb6ffa4302919d61f2599cb73f1853ad3479116f9460db641a5165ba0d
-
SHA512
61adb244bb91b0092183a23219ad5e6aad65adc42df9018d6f888538fa79704b16ad2ced9b11f7d10fa33a3512c956c9903de36f606f3ba70dd146e0bbfa65e0
-
SSDEEP
12288:mhFOB5zdpq8vHQDORZZXQZiOSXS2XLTbWr7Fx8bg4hbTtR/:mhFKtdpq8vQiFXQfp+Wr7cXFTtJ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Loads dropped DLL
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
8b3830b9dbf87f84ddd3b26645fed3a0
-
SHA1
223bef1f19e644a610a0877d01eadc9e28299509
-
SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37
-
SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03
-
SSDEEP
192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
Score3/10 -