General
-
Target
1351b990d6a707e3a6e70890c2e4a637ce36c074210bed4ed5861e111f766ecb.exe
-
Size
740KB
-
Sample
240328-cgtcvaae88
-
MD5
31d774bcb59137de3360dcb616cb7b5b
-
SHA1
83a1b52ebc2b0b765b27ef0566e0f762cd5a1cd9
-
SHA256
1351b990d6a707e3a6e70890c2e4a637ce36c074210bed4ed5861e111f766ecb
-
SHA512
33c7903b26f3fff20aceeafc31a1980ef017350090d7a4ee5333542b0976b29b2eaeec8f97cb5aac549f0344ff33cf0f020e319d4342d47bf5fe61a84d36c76c
-
SSDEEP
12288:kd1JsJ6S4d1Sh2iNwA4fNTq29Glbr9IjAhnoOSldKByGOFyGK5uPPaSshrQk1S:kdrw1GA4Nm2ZAW9djGOXA
Static task
static1
Behavioral task
behavioral1
Sample
1351b990d6a707e3a6e70890c2e4a637ce36c074210bed4ed5861e111f766ecb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1351b990d6a707e3a6e70890c2e4a637ce36c074210bed4ed5861e111f766ecb.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sintecno.gr - Port:
587 - Username:
info@sintecno.gr - Password:
k$&v8@,q0Pf# - Email To:
donj5425@gmail.com
Targets
-
-
Target
1351b990d6a707e3a6e70890c2e4a637ce36c074210bed4ed5861e111f766ecb.exe
-
Size
740KB
-
MD5
31d774bcb59137de3360dcb616cb7b5b
-
SHA1
83a1b52ebc2b0b765b27ef0566e0f762cd5a1cd9
-
SHA256
1351b990d6a707e3a6e70890c2e4a637ce36c074210bed4ed5861e111f766ecb
-
SHA512
33c7903b26f3fff20aceeafc31a1980ef017350090d7a4ee5333542b0976b29b2eaeec8f97cb5aac549f0344ff33cf0f020e319d4342d47bf5fe61a84d36c76c
-
SSDEEP
12288:kd1JsJ6S4d1Sh2iNwA4fNTq29Glbr9IjAhnoOSldKByGOFyGK5uPPaSshrQk1S:kdrw1GA4Nm2ZAW9djGOXA
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-