General
-
Target
ad5c519df39152112b96cbd80417dbdfeb0a90f98f23e49511e6b9d08981894a.exe
-
Size
831KB
-
Sample
240328-c1ad3sdb8z
-
MD5
18ab2aad8e5efd35242fbd95df4e7dd8
-
SHA1
72f5eb04ed362a77235283d634d499edda685bf7
-
SHA256
ad5c519df39152112b96cbd80417dbdfeb0a90f98f23e49511e6b9d08981894a
-
SHA512
34701b20f0afc8694c5bb42a5ecea9daa86b7c59e9b8cf6ce2aaf9598dc39215382c36efa2c8d216e84e3a978a2bd8d6215a937952c69889b698d077f02cfdd9
-
SSDEEP
12288:UFLUZoWBwIyww0vWfueEQEarTXNmuKXevwN0GQ+l3y34SI1Vt/L5r3BD1Ry09yz:UaomwIjGGUfHwuuNvSIb1LN
Static task
static1
Behavioral task
behavioral1
Sample
ad5c519df39152112b96cbd80417dbdfeb0a90f98f23e49511e6b9d08981894a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad5c519df39152112b96cbd80417dbdfeb0a90f98f23e49511e6b9d08981894a.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sintecno.gr - Port:
587 - Username:
info@sintecno.gr - Password:
k$&v8@,q0Pf# - Email To:
donj5425@gmail.com
Targets
-
-
Target
ad5c519df39152112b96cbd80417dbdfeb0a90f98f23e49511e6b9d08981894a.exe
-
Size
831KB
-
MD5
18ab2aad8e5efd35242fbd95df4e7dd8
-
SHA1
72f5eb04ed362a77235283d634d499edda685bf7
-
SHA256
ad5c519df39152112b96cbd80417dbdfeb0a90f98f23e49511e6b9d08981894a
-
SHA512
34701b20f0afc8694c5bb42a5ecea9daa86b7c59e9b8cf6ce2aaf9598dc39215382c36efa2c8d216e84e3a978a2bd8d6215a937952c69889b698d077f02cfdd9
-
SSDEEP
12288:UFLUZoWBwIyww0vWfueEQEarTXNmuKXevwN0GQ+l3y34SI1Vt/L5r3BD1Ry09yz:UaomwIjGGUfHwuuNvSIb1LN
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-