General
-
Target
0385e72feabb9b4207ae2266774849feb9d5179d036b4292e5ffed33c27a5f4a.exe
-
Size
606KB
-
Sample
240327-chb5ysda4y
-
MD5
fe84ba7054e8b3a9f45220feb06bd7af
-
SHA1
6b5c9429d87c33147997876c7bfdb3e219563b7f
-
SHA256
0385e72feabb9b4207ae2266774849feb9d5179d036b4292e5ffed33c27a5f4a
-
SHA512
c8f560b5378c36f6b0a23a4e22048ff6232f6a9ad3c083e9a9ce8b265074471b52118fcc82e3a7dd181c76ac2c94422aabcb2d5019796650200c4f19f71cb52b
-
SSDEEP
12288:FhtMAatmv4zKbju0GllCbxFKonJFmi6JW2D6keSDow1bUU4a5W:FhtMAatmXTGlstvifHDowE
Static task
static1
Behavioral task
behavioral1
Sample
0385e72feabb9b4207ae2266774849feb9d5179d036b4292e5ffed33c27a5f4a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0385e72feabb9b4207ae2266774849feb9d5179d036b4292e5ffed33c27a5f4a.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.nogamobilya.com - Port:
587 - Username:
[email protected] - Password:
121121.1.noga! - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.nogamobilya.com - Port:
587 - Username:
[email protected] - Password:
121121.1.noga!
Targets
-
-
Target
0385e72feabb9b4207ae2266774849feb9d5179d036b4292e5ffed33c27a5f4a.exe
-
Size
606KB
-
MD5
fe84ba7054e8b3a9f45220feb06bd7af
-
SHA1
6b5c9429d87c33147997876c7bfdb3e219563b7f
-
SHA256
0385e72feabb9b4207ae2266774849feb9d5179d036b4292e5ffed33c27a5f4a
-
SHA512
c8f560b5378c36f6b0a23a4e22048ff6232f6a9ad3c083e9a9ce8b265074471b52118fcc82e3a7dd181c76ac2c94422aabcb2d5019796650200c4f19f71cb52b
-
SSDEEP
12288:FhtMAatmv4zKbju0GllCbxFKonJFmi6JW2D6keSDow1bUU4a5W:FhtMAatmXTGlstvifHDowE
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-