General
-
Target
3a130b306b03d9d0d402d9bd69f4234e4e5edf0e72f3c4a6bf534dddb51f4da4.exe
-
Size
1.1MB
-
Sample
240328-cm5ytsaf58
-
MD5
b498d010f13c60756817426770386b7f
-
SHA1
17f91021c16decd629940650599f28dde95f7b8f
-
SHA256
3a130b306b03d9d0d402d9bd69f4234e4e5edf0e72f3c4a6bf534dddb51f4da4
-
SHA512
7de06b1ae7b9edace7577c0b71e007d9a8b8c3cebe722f74dffaac6ee83a349b4af3e18804e55063fa8145f353167a9806d5c72b45ff876fcfff8691d456e459
-
SSDEEP
24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8a9/5bFAXdTiM2zE:RTvC/MTQYxsWR7a9dkdLO
Static task
static1
Behavioral task
behavioral1
Sample
3a130b306b03d9d0d402d9bd69f4234e4e5edf0e72f3c4a6bf534dddb51f4da4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3a130b306b03d9d0d402d9bd69f4234e4e5edf0e72f3c4a6bf534dddb51f4da4.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6776344622:AAE2QGMduuZ12VrNAxC91B7E3v-RBpjCMNI/
Targets
-
-
Target
3a130b306b03d9d0d402d9bd69f4234e4e5edf0e72f3c4a6bf534dddb51f4da4.exe
-
Size
1.1MB
-
MD5
b498d010f13c60756817426770386b7f
-
SHA1
17f91021c16decd629940650599f28dde95f7b8f
-
SHA256
3a130b306b03d9d0d402d9bd69f4234e4e5edf0e72f3c4a6bf534dddb51f4da4
-
SHA512
7de06b1ae7b9edace7577c0b71e007d9a8b8c3cebe722f74dffaac6ee83a349b4af3e18804e55063fa8145f353167a9806d5c72b45ff876fcfff8691d456e459
-
SSDEEP
24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8a9/5bFAXdTiM2zE:RTvC/MTQYxsWR7a9dkdLO
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-