General
-
Target
9c49bbe71a875101949fd0ddf980825c8ac09d566c9e55c2ac94caf8052f5e2e.exe
-
Size
725KB
-
Sample
240328-cy22baah45
-
MD5
3afc031f6c1a6ec6d4d075351c16529b
-
SHA1
25b3288e34d9b6473572d2f4264c27546700faa6
-
SHA256
9c49bbe71a875101949fd0ddf980825c8ac09d566c9e55c2ac94caf8052f5e2e
-
SHA512
102c95629b14ba98256f56d14a6418a5f0bb79b562d129b948fdafd1b0d29ade909c1cdc5d0854460ba6ccf240e3be763d9b038cdd735a7c28cb5213be1b7556
-
SSDEEP
12288:U4CMwY4XU5F5gIKxGA87K5BV5lwKSj6bthuaLlsXaeyXYAlRzFIhuaOaT1upA7kR:li0Fm4IBV5vtUa+bLAlR5IhV1i
Static task
static1
Behavioral task
behavioral1
Sample
9c49bbe71a875101949fd0ddf980825c8ac09d566c9e55c2ac94caf8052f5e2e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9c49bbe71a875101949fd0ddf980825c8ac09d566c9e55c2ac94caf8052f5e2e.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.animetals.com.my - Port:
587 - Username:
admin@animetals.com.my - Password:
8VHMY#KF%kpF - Email To:
newmankint@yandex.com
Targets
-
-
Target
9c49bbe71a875101949fd0ddf980825c8ac09d566c9e55c2ac94caf8052f5e2e.exe
-
Size
725KB
-
MD5
3afc031f6c1a6ec6d4d075351c16529b
-
SHA1
25b3288e34d9b6473572d2f4264c27546700faa6
-
SHA256
9c49bbe71a875101949fd0ddf980825c8ac09d566c9e55c2ac94caf8052f5e2e
-
SHA512
102c95629b14ba98256f56d14a6418a5f0bb79b562d129b948fdafd1b0d29ade909c1cdc5d0854460ba6ccf240e3be763d9b038cdd735a7c28cb5213be1b7556
-
SSDEEP
12288:U4CMwY4XU5F5gIKxGA87K5BV5lwKSj6bthuaLlsXaeyXYAlRzFIhuaOaT1upA7kR:li0Fm4IBV5vtUa+bLAlR5IhV1i
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-