General
-
Target
aa5e905630fdcd343ea0c1bdc41c67ec3b60abcab50f2ed7bcfba931e7d30f11.exe
-
Size
2.4MB
-
Sample
240329-c2g6baga29
-
MD5
749404f8b6bd72307f017d1fd8f3081e
-
SHA1
84995cbfec91c10df85c97d0f7acec531dba455c
-
SHA256
aa5e905630fdcd343ea0c1bdc41c67ec3b60abcab50f2ed7bcfba931e7d30f11
-
SHA512
1be07e218ebbe3750c0a62d2ca69bd3be19732fcb99452e7df111df79bccd5039893b37fd8ab31af1ba27b1c40ec90efa3803b6b2023141ce496c033b8dfd112
-
SSDEEP
49152:i5L4P8xfttrOoXDhNkxtOTBcziRLhT2vWkYd9n:OymFtrOGhNkxY9RcOkY
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
gator3220.hostgator.com - Port:
587 - Username:
[email protected] - Password:
VvMMgD#w!TZmaka!@ - Email To:
[email protected]
Targets
-
-
Target
aa5e905630fdcd343ea0c1bdc41c67ec3b60abcab50f2ed7bcfba931e7d30f11.exe
-
Size
2.4MB
-
MD5
749404f8b6bd72307f017d1fd8f3081e
-
SHA1
84995cbfec91c10df85c97d0f7acec531dba455c
-
SHA256
aa5e905630fdcd343ea0c1bdc41c67ec3b60abcab50f2ed7bcfba931e7d30f11
-
SHA512
1be07e218ebbe3750c0a62d2ca69bd3be19732fcb99452e7df111df79bccd5039893b37fd8ab31af1ba27b1c40ec90efa3803b6b2023141ce496c033b8dfd112
-
SSDEEP
49152:i5L4P8xfttrOoXDhNkxtOTBcziRLhT2vWkYd9n:OymFtrOGhNkxY9RcOkY
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-