General
-
Target
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80.exe
-
Size
724KB
-
Sample
240328-c8b8msdd4z
-
MD5
0aecae00e463d917ab4ac1ce7e2cdd16
-
SHA1
7dadf13009e6461dee1cf2a35cb0a8d823c65f25
-
SHA256
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80
-
SHA512
07690358a37b261ed47fb4c2efc82e47ffdd69eb65a7b886f379b8f0593fa921a99348214c9f99fa3229d2dfb35dfc5ca36512280e4c3633012200a910e60cbd
-
SSDEEP
12288:RCKLa5WNtA8YoemPMn/9N/q7V9Clyq/xcNipiLLxhpIpXrXzCf8V+g9VmhfkR:oK5NtQbn18xIdMLwbX2U39Vmh6
Static task
static1
Behavioral task
behavioral1
Sample
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
sender@zqamcx.com - Password:
Methodman991 - Email To:
method@zqamcx.com
Targets
-
-
Target
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80.exe
-
Size
724KB
-
MD5
0aecae00e463d917ab4ac1ce7e2cdd16
-
SHA1
7dadf13009e6461dee1cf2a35cb0a8d823c65f25
-
SHA256
f1966d8c36df489b3dbf5b888a502de7799b3ff66213806e4dd3633ed8ee2b80
-
SHA512
07690358a37b261ed47fb4c2efc82e47ffdd69eb65a7b886f379b8f0593fa921a99348214c9f99fa3229d2dfb35dfc5ca36512280e4c3633012200a910e60cbd
-
SSDEEP
12288:RCKLa5WNtA8YoemPMn/9N/q7V9Clyq/xcNipiLLxhpIpXrXzCf8V+g9VmhfkR:oK5NtQbn18xIdMLwbX2U39Vmh6
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-