General
-
Target
dd086621ee97b6f9a98b9b839b10bbb4a281b8e360cb26932de30768b82b23da.zip
-
Size
623KB
-
Sample
240424-cdxk4aea95
-
MD5
c93862066670d022b71313fec54babbb
-
SHA1
b26b968cbbfb02b749d9dbc48426aca6299e8c1b
-
SHA256
dd086621ee97b6f9a98b9b839b10bbb4a281b8e360cb26932de30768b82b23da
-
SHA512
c0ee82c16e3ebb756cf60a1c8c7c9f5864b323707fdf92f69f3215eba8c769b02cbe071a077012363cfb6b97844549ed2704e7a0b89db7b54402cf5808a16f2a
-
SSDEEP
12288:glVaxCjA/Exn0A7qcSAzgaDlgGb9R5bzOixuebj335sr+e+Syg7bo0wqVpm7g5iH:gqeA/206ysJDl/hR5bCixuebL3brSygO
Static task
static1
Behavioral task
behavioral1
Sample
Bank slip.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bank slip.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.alkuwaiti.com - Port:
587 - Username:
[email protected] - Password:
Ele@1804 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.alkuwaiti.com - Port:
587 - Username:
[email protected] - Password:
Ele@1804
Targets
-
-
Target
Bank slip.exe
-
Size
643KB
-
MD5
83d5996cdae805e2caaea0c087163700
-
SHA1
2b69f4a9e66cb932f695fc0b004c81d34f3684d5
-
SHA256
ca444d4c1eac0d3464e99f59a3391aa587572814d5fbecfe1d02ac9bf84606e8
-
SHA512
c879cefa653c5abacaad7cd4ff49a61322b613db888cf21c37f343f2a2f8d31c79e2ee7cc33255eaef3030b63d530fc8deb08c57d1cab16e72206093ff01a9ed
-
SSDEEP
12288:TSWPxnsANqcSezgcDlgGZ9d5bzNmBorZpOaAXmne+Sdq2A2cWjoI9:fsWyytDl/bd5biorPAWnrSdOrA
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-