General
-
Target
af4c8dace0ca65db170c11477a3794af2ad3feb706bda810988a22ce72af5a68.exe
-
Size
1.1MB
-
Sample
240328-c1ct7sah64
-
MD5
2a07051d44440cd3c25081da8e13937d
-
SHA1
cf8c01d5bf1208ab2f8806fef2cb735a53486e36
-
SHA256
af4c8dace0ca65db170c11477a3794af2ad3feb706bda810988a22ce72af5a68
-
SHA512
8862d95a3903c66bf0b71d36e4748d192e730301efef6092f86565d6eff543266799c5b571f62d985174e26e50f4da842e17bb3fc4269f238d71442c29f97b0c
-
SSDEEP
24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aIvgpkO6qHAYDb:ETvC/MTQYxsWR7aIvgNVHTD
Static task
static1
Behavioral task
behavioral1
Sample
af4c8dace0ca65db170c11477a3794af2ad3feb706bda810988a22ce72af5a68.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
af4c8dace0ca65db170c11477a3794af2ad3feb706bda810988a22ce72af5a68.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6776344622:AAE2QGMduuZ12VrNAxC91B7E3v-RBpjCMNI/
Targets
-
-
Target
af4c8dace0ca65db170c11477a3794af2ad3feb706bda810988a22ce72af5a68.exe
-
Size
1.1MB
-
MD5
2a07051d44440cd3c25081da8e13937d
-
SHA1
cf8c01d5bf1208ab2f8806fef2cb735a53486e36
-
SHA256
af4c8dace0ca65db170c11477a3794af2ad3feb706bda810988a22ce72af5a68
-
SHA512
8862d95a3903c66bf0b71d36e4748d192e730301efef6092f86565d6eff543266799c5b571f62d985174e26e50f4da842e17bb3fc4269f238d71442c29f97b0c
-
SSDEEP
24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aIvgpkO6qHAYDb:ETvC/MTQYxsWR7aIvgNVHTD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-