General
-
Target
b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
-
Size
660KB
-
Sample
240328-c2bnjaah88
-
MD5
818c1d4d7b71a802240c5b04010c0929
-
SHA1
21ab4b40707da5ccdadf53c37458cc5b5ea674a7
-
SHA256
b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a
-
SHA512
fb4e9f6eb2b8b4e1f5e9e3b332a3bc40297f69924c60c052632e68ba44e666c2ceea9b5dc2b6aeb0125ebb03b722e5b1668c8ad90618e0a2e96e2c892584892a
-
SSDEEP
12288:aH2iNlw09szFS6U2/fdkuj+JvDUPXn1+hVh7ziEy27/MxC1GKuMDwK5J8XVhB+g:01XKC2XdLj+JLSX1kEE/M4wK/wK5qVH9
Static task
static1
Behavioral task
behavioral1
Sample
b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.oceanskylogistics.in - Port:
587 - Username:
export@oceanskylogistics.in - Password:
Oce@n@1234 - Email To:
jose.oliveirea655@gmail.com
Targets
-
-
Target
b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a.exe
-
Size
660KB
-
MD5
818c1d4d7b71a802240c5b04010c0929
-
SHA1
21ab4b40707da5ccdadf53c37458cc5b5ea674a7
-
SHA256
b9b4d87c84f6baf4e71845c26c43e70b7c1c6d06a94e4a87df17a7e8dcf5530a
-
SHA512
fb4e9f6eb2b8b4e1f5e9e3b332a3bc40297f69924c60c052632e68ba44e666c2ceea9b5dc2b6aeb0125ebb03b722e5b1668c8ad90618e0a2e96e2c892584892a
-
SSDEEP
12288:aH2iNlw09szFS6U2/fdkuj+JvDUPXn1+hVh7ziEy27/MxC1GKuMDwK5J8XVhB+g:01XKC2XdLj+JLSX1kEE/M4wK/wK5qVH9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-