General
-
Target
f5e5065093aba6e737332f46cfd1b0672dd9c7025e599d9832f8b25b65033c94.exe
-
Size
708KB
-
Sample
240327-dadjgsba75
-
MD5
cc3d25e47bf31f862ecf842f2f174951
-
SHA1
91904f35dbe6a77a50766fef0d769674d96bd720
-
SHA256
f5e5065093aba6e737332f46cfd1b0672dd9c7025e599d9832f8b25b65033c94
-
SHA512
81e3b6e106491777e31558eee7afca3324bde7df45beb3dd93fc9d040b5b5b32b694ad07197a8842636cf19ba50080ff28e8d437e1d4592f496047ddfc276f29
-
SSDEEP
12288:lCz/Ba5W2Meyb2GHVCAPwepEHIcQgS7bFnTMjt5a6hd1SeralhD:MrzlRZI6wOEocQgSXFTMZptrghD
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.aficofilters.com.eg - Port:
587 - Username:
[email protected] - Password:
mhds@852 - Email To:
[email protected]
Targets
-
-
Target
f5e5065093aba6e737332f46cfd1b0672dd9c7025e599d9832f8b25b65033c94.exe
-
Size
708KB
-
MD5
cc3d25e47bf31f862ecf842f2f174951
-
SHA1
91904f35dbe6a77a50766fef0d769674d96bd720
-
SHA256
f5e5065093aba6e737332f46cfd1b0672dd9c7025e599d9832f8b25b65033c94
-
SHA512
81e3b6e106491777e31558eee7afca3324bde7df45beb3dd93fc9d040b5b5b32b694ad07197a8842636cf19ba50080ff28e8d437e1d4592f496047ddfc276f29
-
SSDEEP
12288:lCz/Ba5W2Meyb2GHVCAPwepEHIcQgS7bFnTMjt5a6hd1SeralhD:MrzlRZI6wOEocQgSXFTMZptrghD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-