General
-
Target
8b9b9705edefa8c599c6035b2ec7df05063306f7a5f0def6c0cd1476536d823b.rar
-
Size
617KB
-
Sample
240417-ca8tysae79
-
MD5
5779ce3611d611c170b29240c4e2e1d5
-
SHA1
2d0cfc3b0e0b9eeff91e1ea6dfc11e73002abf2c
-
SHA256
8b9b9705edefa8c599c6035b2ec7df05063306f7a5f0def6c0cd1476536d823b
-
SHA512
300961514f4d530cbd64fb4546cf26db44ac57f864122c9b3c7e9c59c27adf06ef24a97f594b5c6e7073e3ad5f1b47066e8d5ab8fdcbd93ac555ca2683fe9d2f
-
SSDEEP
12288:zVgGtuqWdkq733MBkrw7iAJMXi/Js4htFomzqoRagFJLTy/0/C:5q33Myw7a4LFlRBF00K
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.alfainterplast.com.ua - Port:
587 - Username:
[email protected] - Password:
pay2024password$$ - Email To:
[email protected]
Targets
-
-
Target
YENİ SİPARİŞ PO .2024.exe
-
Size
650KB
-
MD5
529a483f705a652ad2943e48f22cc037
-
SHA1
b93f46e467c2f620884a9afdd70aaf8e0b6f65e7
-
SHA256
7b360b7d9ecc11f7eac58a50bca9abbb0ffcafb81df863eb24190d32fd3c6de6
-
SHA512
934c93a9a38fb64b768ad84f259af5b92710b86498076e2139d218af256da6168150ad94c48471eab17265c5bcdf033ef1076ce0297c4e2af9ad618957289301
-
SSDEEP
12288:daAvWzT370N692rKClw/znsMxiMDH+hNT13k8LrMNT1DKjlLw:VN6UrKClynjiMDuzXMNhD2k
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with SmartAssembly
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-