General
-
Target
e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029.exe
-
Size
608KB
-
Sample
240326-dhy56acd24
-
MD5
0aeb7bc1e4ef7693e20f2e9b3cfd65a0
-
SHA1
1c6f6a8e9bb62ee29c3c5b23f73d660db3954ef7
-
SHA256
e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029
-
SHA512
1ab64df28ffcf0d88a211723c20be896e40730013fe103732dc7911923cbfe84a28b18a252d34b95804acf9cd3b169f1199747628d0f8b8cff68b158ee9121ef
-
SSDEEP
12288:VI59EO75O5kk24qJB0cfscFFlsQczFo/HyfPuD:VI5B05k6qMcFszpGS3uD
Static task
static1
Behavioral task
behavioral1
Sample
e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029.exe
Resource
win7-20231129-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
Kingdom12345@
Extracted
Protocol: ftp- Host:
ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
Kingdom12345@
Targets
-
-
Target
e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029.exe
-
Size
608KB
-
MD5
0aeb7bc1e4ef7693e20f2e9b3cfd65a0
-
SHA1
1c6f6a8e9bb62ee29c3c5b23f73d660db3954ef7
-
SHA256
e43f623e317d13daa4383aa020274df52ca9a807efe597f34ae7126ca6067029
-
SHA512
1ab64df28ffcf0d88a211723c20be896e40730013fe103732dc7911923cbfe84a28b18a252d34b95804acf9cd3b169f1199747628d0f8b8cff68b158ee9121ef
-
SSDEEP
12288:VI59EO75O5kk24qJB0cfscFFlsQczFo/HyfPuD:VI5B05k6qMcFszpGS3uD
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with or use KoiVM
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-