General
-
Target
222370596f59183040772e971c9b262d1fa1aba5386b448e423c6cff2d23319a.exe
-
Size
867KB
-
Sample
240329-cj79saeh6t
-
MD5
2c520c9db37e16343941bbba36fc22ef
-
SHA1
b168bb726e9ec94166e60cc3d502843058ede5a4
-
SHA256
222370596f59183040772e971c9b262d1fa1aba5386b448e423c6cff2d23319a
-
SHA512
097379427ac91ccde3e7cf09223a8f6a9955c77c786d975e78aa7c5a5e693b92c172322ecc6c32dfc80e4ae2964c805f11ac0268afd95aa82921b296666d758a
-
SSDEEP
12288:Z6Wq4aaE6KwyF5L0Y2D1PqL/2p7v95HcYuHfWpKbyiJZUHKA4b5:vthEVaPqLOp7v954uMbyiJWHKAK5
Behavioral task
behavioral1
Sample
222370596f59183040772e971c9b262d1fa1aba5386b448e423c6cff2d23319a.exe
Resource
win7-20240221-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6811787827:AAEr4cj8xrQKX5i6BnPzE4vzpRaL4EziTo4/
Targets
-
-
Target
222370596f59183040772e971c9b262d1fa1aba5386b448e423c6cff2d23319a.exe
-
Size
867KB
-
MD5
2c520c9db37e16343941bbba36fc22ef
-
SHA1
b168bb726e9ec94166e60cc3d502843058ede5a4
-
SHA256
222370596f59183040772e971c9b262d1fa1aba5386b448e423c6cff2d23319a
-
SHA512
097379427ac91ccde3e7cf09223a8f6a9955c77c786d975e78aa7c5a5e693b92c172322ecc6c32dfc80e4ae2964c805f11ac0268afd95aa82921b296666d758a
-
SSDEEP
12288:Z6Wq4aaE6KwyF5L0Y2D1PqL/2p7v95HcYuHfWpKbyiJZUHKA4b5:vthEVaPqLOp7v954uMbyiJWHKAK5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
UPX dump on OEP (original entry point)
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-