General
-
Target
ecc9bbdafb2ba01909619fcb94b8cd7ea04eed985362af023e18f90f7e989a96.exe
-
Size
8.7MB
-
Sample
240424-cfspxsea8x
-
MD5
48a61fb2d7953e4983597b9c62368022
-
SHA1
ff930355abfdbe906b0ab1f15045608e8a18ea96
-
SHA256
ecc9bbdafb2ba01909619fcb94b8cd7ea04eed985362af023e18f90f7e989a96
-
SHA512
1c9b577403b3b942914159a708db6b59824bcdfb865ebc76cd458fc436be3a2a27524ba1405b4d5ee1994e6118275fec7779eeb05d8e3f782d0978eb79adcba7
-
SSDEEP
196608:HTTO3JgjuroqLDNzLcQZvx7aZoNdhLQuo9v9nP00sOdhDeQdwJ2UET80DtpyCk0X:HTTO3JgjuroqLDNzLcQZvx7aZoNdhLQb
Static task
static1
Behavioral task
behavioral1
Sample
ecc9bbdafb2ba01909619fcb94b8cd7ea04eed985362af023e18f90f7e989a96.exe
Resource
win7-20240215-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gencoldfire.com - Port:
587 - Username:
[email protected] - Password:
%j#!%z2b/?qM68K# - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.gencoldfire.com - Port:
587 - Username:
[email protected] - Password:
%j#!%z2b/?qM68K#
Targets
-
-
Target
ecc9bbdafb2ba01909619fcb94b8cd7ea04eed985362af023e18f90f7e989a96.exe
-
Size
8.7MB
-
MD5
48a61fb2d7953e4983597b9c62368022
-
SHA1
ff930355abfdbe906b0ab1f15045608e8a18ea96
-
SHA256
ecc9bbdafb2ba01909619fcb94b8cd7ea04eed985362af023e18f90f7e989a96
-
SHA512
1c9b577403b3b942914159a708db6b59824bcdfb865ebc76cd458fc436be3a2a27524ba1405b4d5ee1994e6118275fec7779eeb05d8e3f782d0978eb79adcba7
-
SSDEEP
196608:HTTO3JgjuroqLDNzLcQZvx7aZoNdhLQuo9v9nP00sOdhDeQdwJ2UET80DtpyCk0X:HTTO3JgjuroqLDNzLcQZvx7aZoNdhLQb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-