General
-
Target
5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243.exe
-
Size
686KB
-
Sample
240328-crhzvsag25
-
MD5
5d76a9e3a1948a1307330e52cfefd7bb
-
SHA1
28b7ec354c2d4202278bab3c742eb06f36c56902
-
SHA256
5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243
-
SHA512
5d29d8b0153c21c9d33ea72b9abc50a66324e6291a7ae4ef96d7e284253f774f9f1a75794df859eb0f456c219076f7330b1d1bbdf2ac16c1d6125dcb2c81b376
-
SSDEEP
12288:RphmU6GDRn/dWA9NhoaFREwZ2+TAjliqMRgYHaNgI9b46IdAK:nNn77hKwZFEkXhogI9blI
Static task
static1
Behavioral task
behavioral1
Sample
5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gosportz.in - Port:
587 - Username:
sales@gosportz.in - Password:
Ss@gosportz - Email To:
info.superseal@yandex.com
Extracted
Protocol: smtp- Host:
mail.gosportz.in - Port:
587 - Username:
sales@gosportz.in - Password:
Ss@gosportz
Targets
-
-
Target
5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243.exe
-
Size
686KB
-
MD5
5d76a9e3a1948a1307330e52cfefd7bb
-
SHA1
28b7ec354c2d4202278bab3c742eb06f36c56902
-
SHA256
5b494f1ff90dc1d527b8c1b301bdccef380ee9b0bc771486975c1f0075ba9243
-
SHA512
5d29d8b0153c21c9d33ea72b9abc50a66324e6291a7ae4ef96d7e284253f774f9f1a75794df859eb0f456c219076f7330b1d1bbdf2ac16c1d6125dcb2c81b376
-
SSDEEP
12288:RphmU6GDRn/dWA9NhoaFREwZ2+TAjliqMRgYHaNgI9b46IdAK:nNn77hKwZFEkXhogI9blI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with or use KoiVM
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-