General
-
Target
b089fa2bc45c847783b8eb957d9d1023f707a96073f2657d6a838eaf5619949b.exe
-
Size
618KB
-
Sample
240328-c1fabsah66
-
MD5
adc47f20cba61f1a2f8171791a455d09
-
SHA1
62508fbdde7bfb78e927495bb96d78ceb832a1ae
-
SHA256
b089fa2bc45c847783b8eb957d9d1023f707a96073f2657d6a838eaf5619949b
-
SHA512
49ee25101729fe1d351d6b96861be96c0fe273ecc3c3378fc42848ef1d46f6e6128982b695de7a8639b1529791c541f4ad2077c93c11155dc0d5ebbe63e8414c
-
SSDEEP
12288:4JMa5WyV/cXi7Cc8oZJfLyXrCt9vFjMRL9fPzDYUE8P8ITjEQ:4OS/kJoMIFCRhfgq8+j7
Static task
static1
Behavioral task
behavioral1
Sample
b089fa2bc45c847783b8eb957d9d1023f707a96073f2657d6a838eaf5619949b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b089fa2bc45c847783b8eb957d9d1023f707a96073f2657d6a838eaf5619949b.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.y-pt.com - Port:
587 - Username:
maxwell@y-pt.com - Password:
LILKOOLL14! - Email To:
richibigi6@gmail.com
Extracted
Protocol: smtp- Host:
mail.y-pt.com - Port:
587 - Username:
maxwell@y-pt.com - Password:
LILKOOLL14!
Targets
-
-
Target
b089fa2bc45c847783b8eb957d9d1023f707a96073f2657d6a838eaf5619949b.exe
-
Size
618KB
-
MD5
adc47f20cba61f1a2f8171791a455d09
-
SHA1
62508fbdde7bfb78e927495bb96d78ceb832a1ae
-
SHA256
b089fa2bc45c847783b8eb957d9d1023f707a96073f2657d6a838eaf5619949b
-
SHA512
49ee25101729fe1d351d6b96861be96c0fe273ecc3c3378fc42848ef1d46f6e6128982b695de7a8639b1529791c541f4ad2077c93c11155dc0d5ebbe63e8414c
-
SSDEEP
12288:4JMa5WyV/cXi7Cc8oZJfLyXrCt9vFjMRL9fPzDYUE8P8ITjEQ:4OS/kJoMIFCRhfgq8+j7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-