General
-
Target
0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
-
Size
747KB
-
Sample
240328-cf36naae82
-
MD5
93da4f364deae0c5dccb3d9ab2e1c67a
-
SHA1
e65df8007dae4cddbb1119c7dcc0737328c760d7
-
SHA256
0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305
-
SHA512
436a1a3fa33acb21ddc76d0191b204cf86a83ad587dfb9c97a0ae8d9e3bfa8602bc59162cbfdfdea57988151dcc386769d395fa81f3c7b87e55b9a8e650482b6
-
SSDEEP
12288:TkMayww0KgdH8+WXfJxsXqmUUwyFT9kgwyXROOTa85gijVdIaNv:zajSQC/0we5kwROOTa85PjrNN
Static task
static1
Behavioral task
behavioral1
Sample
0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
Resource
win10v2004-20240319-en
Malware Config
Extracted
agenttesla
https://discordapp.com/api/webhooks/1209079326381703258/KMWScJ3_PST6cUhH_FpNX9xquPQydoTw5ra7lQhfDovLGBW7jR_Rk634D6j1s1IOLj61
Targets
-
-
Target
0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305.exe
-
Size
747KB
-
MD5
93da4f364deae0c5dccb3d9ab2e1c67a
-
SHA1
e65df8007dae4cddbb1119c7dcc0737328c760d7
-
SHA256
0b2843566112d9b4a879e77416227bb7c46152c418385d4e608b7d7b687dd305
-
SHA512
436a1a3fa33acb21ddc76d0191b204cf86a83ad587dfb9c97a0ae8d9e3bfa8602bc59162cbfdfdea57988151dcc386769d395fa81f3c7b87e55b9a8e650482b6
-
SSDEEP
12288:TkMayww0KgdH8+WXfJxsXqmUUwyFT9kgwyXROOTa85gijVdIaNv:zajSQC/0we5kwROOTa85PjrNN
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-