General
-
Target
843fa4dd9e5d81d150e4d6cd251dc26dafc7409bb4516abebce70114c62548c6.exe
-
Size
2.8MB
-
Sample
240329-cvrq6sfc4z
-
MD5
73f2aa0989d9fcb98763fbb461422f9f
-
SHA1
27b4d0302c43e95c19942eea9dea94d673e18578
-
SHA256
843fa4dd9e5d81d150e4d6cd251dc26dafc7409bb4516abebce70114c62548c6
-
SHA512
040c671c5f1bf2eecc391680ce18f728d4c818b170d9e240541f2cfc8fa1f160c6f3feeacec78ccbfcd0010694c9a17acf926e0c0a9b8a7145bc199970dd7abd
-
SSDEEP
49152:A7XLm8xI2nCY8EoVZT6JGsBp0PWInu9vxnBoqdWGJa/3HWPWar:mbmJYpoVwlpuWX9l3a/3HMWa
Static task
static1
Behavioral task
behavioral1
Sample
843fa4dd9e5d81d150e4d6cd251dc26dafc7409bb4516abebce70114c62548c6.exe
Resource
win7-20240221-en
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1220536277670170814/IOSQHt77jsZT7zo7kkUiyq8x8TaToq4-BxVLqMXGe4ffWubgOFeoq2CnEl3NjjJYkJNd
Targets
-
-
Target
843fa4dd9e5d81d150e4d6cd251dc26dafc7409bb4516abebce70114c62548c6.exe
-
Size
2.8MB
-
MD5
73f2aa0989d9fcb98763fbb461422f9f
-
SHA1
27b4d0302c43e95c19942eea9dea94d673e18578
-
SHA256
843fa4dd9e5d81d150e4d6cd251dc26dafc7409bb4516abebce70114c62548c6
-
SHA512
040c671c5f1bf2eecc391680ce18f728d4c818b170d9e240541f2cfc8fa1f160c6f3feeacec78ccbfcd0010694c9a17acf926e0c0a9b8a7145bc199970dd7abd
-
SSDEEP
49152:A7XLm8xI2nCY8EoVZT6JGsBp0PWInu9vxnBoqdWGJa/3HWPWar:mbmJYpoVwlpuWX9l3a/3HMWa
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables Discord URL observed in first stage droppers
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-