General
-
Target
1ddead5d6964c8e382d3b2ea694774ff58486bcfb7996015561cc9a03c61b536.exe
-
Size
740KB
-
Sample
240328-chhbzaae96
-
MD5
81d099f1008d98346919c22f105e26e5
-
SHA1
de77e686d32adca574703621974811dc6c7d3b31
-
SHA256
1ddead5d6964c8e382d3b2ea694774ff58486bcfb7996015561cc9a03c61b536
-
SHA512
b174aa74461edcc8afee22134084d6de4001fdf5d7012fbcd904f119d3959d776b43fd91a25147c20d2dcfa0d18eeb0b554155d2c7380d55030e6dd2e28bf794
-
SSDEEP
12288:Wd1JsJ6SH1Sh2iNwCZDcTsTmmk82Zzl2VLlh5AMOYFC6Vljc4J+G30NuqDpfLpPd:Wd4w1GQQABk1Zzl4ph5vtCi0hBDpfLG
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmech.net - Port:
587 - Username:
electronics@starmech.net - Password:
nics123 - Email To:
godwingodwin397@gmail.com
Targets
-
-
Target
1ddead5d6964c8e382d3b2ea694774ff58486bcfb7996015561cc9a03c61b536.exe
-
Size
740KB
-
MD5
81d099f1008d98346919c22f105e26e5
-
SHA1
de77e686d32adca574703621974811dc6c7d3b31
-
SHA256
1ddead5d6964c8e382d3b2ea694774ff58486bcfb7996015561cc9a03c61b536
-
SHA512
b174aa74461edcc8afee22134084d6de4001fdf5d7012fbcd904f119d3959d776b43fd91a25147c20d2dcfa0d18eeb0b554155d2c7380d55030e6dd2e28bf794
-
SSDEEP
12288:Wd1JsJ6SH1Sh2iNwCZDcTsTmmk82Zzl2VLlh5AMOYFC6Vljc4J+G30NuqDpfLpPd:Wd4w1GQQABk1Zzl4ph5vtCi0hBDpfLG
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-