General
-
Target
e91d389bcd7dbcd63860b1bbe09fbc006880616e113630acb2dff1d5a41efb6a.exe
-
Size
718KB
-
Sample
240327-c8y3eaba36
-
MD5
e0f4226c8a03a6033b1ea0075056ad9a
-
SHA1
910d11dae17bdd87040236e5be2eac30abb04471
-
SHA256
e91d389bcd7dbcd63860b1bbe09fbc006880616e113630acb2dff1d5a41efb6a
-
SHA512
4374798b697ebd65ee84fe923d1acdc6a85aaa398bb798817abd55f8ee4e25a6a47a0ac9782e5595a13238b5161b37c669ad9544255bdb5eec76c6e35b2a1b17
-
SSDEEP
12288:da5WzrnDaFW0bfPdbef4XqXwK9Wfz+XTKg2Uzy9HOotXHisN:3fnDaFW0bfPo4XqXw8A9h9nL
Static task
static1
Behavioral task
behavioral1
Sample
e91d389bcd7dbcd63860b1bbe09fbc006880616e113630acb2dff1d5a41efb6a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
e91d389bcd7dbcd63860b1bbe09fbc006880616e113630acb2dff1d5a41efb6a.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
=;=yKWThEGx- - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
=;=yKWThEGx-
Targets
-
-
Target
e91d389bcd7dbcd63860b1bbe09fbc006880616e113630acb2dff1d5a41efb6a.exe
-
Size
718KB
-
MD5
e0f4226c8a03a6033b1ea0075056ad9a
-
SHA1
910d11dae17bdd87040236e5be2eac30abb04471
-
SHA256
e91d389bcd7dbcd63860b1bbe09fbc006880616e113630acb2dff1d5a41efb6a
-
SHA512
4374798b697ebd65ee84fe923d1acdc6a85aaa398bb798817abd55f8ee4e25a6a47a0ac9782e5595a13238b5161b37c669ad9544255bdb5eec76c6e35b2a1b17
-
SSDEEP
12288:da5WzrnDaFW0bfPdbef4XqXwK9Wfz+XTKg2Uzy9HOotXHisN:3fnDaFW0bfPo4XqXw8A9h9nL
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-