General
-
Target
0c37804bab8e0a7989e85c5ad1a917e9daf2d9e10c96af9e4f0e5449bfb527aa.exe
-
Size
1.1MB
-
Sample
240329-cgc1vseg4v
-
MD5
847bf4ff34d621e5c01b919c0e63621d
-
SHA1
c8540089067d721c3a0b9cad59535b819199bca4
-
SHA256
0c37804bab8e0a7989e85c5ad1a917e9daf2d9e10c96af9e4f0e5449bfb527aa
-
SHA512
d90347c1e1cea250d1b7c9e66f90296c1c18d4d9ecd9b4dcb04709e2acabec694958107520108afc09130500d0df1d66cad9787efbe73a4d1580a1674f0ff7ff
-
SSDEEP
24576:kqDEvCTbMWu7rQYlBQcBiT6rprG8aKuIhcQNWWWYV:kTvC/MTQYxsWR7aK5/NWWR
Static task
static1
Behavioral task
behavioral1
Sample
0c37804bab8e0a7989e85c5ad1a917e9daf2d9e10c96af9e4f0e5449bfb527aa.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0c37804bab8e0a7989e85c5ad1a917e9daf2d9e10c96af9e4f0e5449bfb527aa.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6776344622:AAE2QGMduuZ12VrNAxC91B7E3v-RBpjCMNI/
Targets
-
-
Target
0c37804bab8e0a7989e85c5ad1a917e9daf2d9e10c96af9e4f0e5449bfb527aa.exe
-
Size
1.1MB
-
MD5
847bf4ff34d621e5c01b919c0e63621d
-
SHA1
c8540089067d721c3a0b9cad59535b819199bca4
-
SHA256
0c37804bab8e0a7989e85c5ad1a917e9daf2d9e10c96af9e4f0e5449bfb527aa
-
SHA512
d90347c1e1cea250d1b7c9e66f90296c1c18d4d9ecd9b4dcb04709e2acabec694958107520108afc09130500d0df1d66cad9787efbe73a4d1580a1674f0ff7ff
-
SSDEEP
24576:kqDEvCTbMWu7rQYlBQcBiT6rprG8aKuIhcQNWWWYV:kTvC/MTQYxsWR7aK5/NWWR
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-