General
-
Target
2cd1dbdda80466cde0fceaf2f8cadebe954bff64bb313821969451569c958add.exe
-
Size
705KB
-
Sample
240327-clxk3aab59
-
MD5
d8e84b5e26d9355e503d3ff632d05018
-
SHA1
fa8339ec7c63a954d077471ace9a7a2eb01719d5
-
SHA256
2cd1dbdda80466cde0fceaf2f8cadebe954bff64bb313821969451569c958add
-
SHA512
f614c9ced750222de6fef31e9c7d23022683b6907551e604e8c7d49630e76694c78929c53a6e4251e6e783e06a82a573f276d7b7770d17925b1c2b25f8f1652d
-
SSDEEP
12288:X8+pDta5WLKX+HCEK3URU666WXiOLnMfnTw8W6qqPrLsRzkamLBqFKyv2Dv0g/k2:5LTH5GgWSgMPs69PrLsRzkR9qH2DvTk2
Static task
static1
Behavioral task
behavioral1
Sample
2cd1dbdda80466cde0fceaf2f8cadebe954bff64bb313821969451569c958add.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2cd1dbdda80466cde0fceaf2f8cadebe954bff64bb313821969451569c958add.exe
Resource
win10v2004-20240319-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.itresinc.com - Port:
587 - Username:
[email protected] - Password:
MT]ANFjWzKTA - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.itresinc.com - Port:
587 - Username:
[email protected] - Password:
MT]ANFjWzKTA
Targets
-
-
Target
2cd1dbdda80466cde0fceaf2f8cadebe954bff64bb313821969451569c958add.exe
-
Size
705KB
-
MD5
d8e84b5e26d9355e503d3ff632d05018
-
SHA1
fa8339ec7c63a954d077471ace9a7a2eb01719d5
-
SHA256
2cd1dbdda80466cde0fceaf2f8cadebe954bff64bb313821969451569c958add
-
SHA512
f614c9ced750222de6fef31e9c7d23022683b6907551e604e8c7d49630e76694c78929c53a6e4251e6e783e06a82a573f276d7b7770d17925b1c2b25f8f1652d
-
SSDEEP
12288:X8+pDta5WLKX+HCEK3URU666WXiOLnMfnTw8W6qqPrLsRzkamLBqFKyv2Dv0g/k2:5LTH5GgWSgMPs69PrLsRzkR9qH2DvTk2
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-