General
-
Target
d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6.exe
-
Size
798KB
-
Sample
240328-c4v5ysdc6y
-
MD5
fb029eca94061f0186fc8701bdc85c77
-
SHA1
08231601ad4894e80dc1bd323456ed5e4cacb13c
-
SHA256
d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6
-
SHA512
f46da4da503d580eb9fb9648141375f1a5c244d6832a7c426d65337d0e7cec6f515ae1ee9a0921002c4d04b99b01b09775ffe8823e9a557f0ff78aee57cf07d4
-
SSDEEP
12288:R6dum27u49Zr7EwcCiCXZHvyK7m2GtW8rTRpJ9ShOWQ7G/GFH9eo:R6dufltdcCpPyPW8rTRp6I8+deo
Static task
static1
Behavioral task
behavioral1
Sample
d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6.exe
Resource
win7-20240221-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7189076260:AAHEL9QuHqQcKXN8kPXNO5BpYSd3XtQOqFg/
Targets
-
-
Target
d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6.exe
-
Size
798KB
-
MD5
fb029eca94061f0186fc8701bdc85c77
-
SHA1
08231601ad4894e80dc1bd323456ed5e4cacb13c
-
SHA256
d2a44cec8dbbd996cc4b5780f907f33fd4040c44519653503f4b17f3288149a6
-
SHA512
f46da4da503d580eb9fb9648141375f1a5c244d6832a7c426d65337d0e7cec6f515ae1ee9a0921002c4d04b99b01b09775ffe8823e9a557f0ff78aee57cf07d4
-
SSDEEP
12288:R6dum27u49Zr7EwcCiCXZHvyK7m2GtW8rTRpJ9ShOWQ7G/GFH9eo:R6dufltdcCpPyPW8rTRp6I8+deo
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with or use KoiVM
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-