General
-
Target
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d.exe
-
Size
356KB
-
Sample
240425-cg91lade6t
-
MD5
be60ea5cc4efb226b78a6a257ff112fd
-
SHA1
1bc68e94bf651242cd3ca51c34f9113992d4f9a7
-
SHA256
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d
-
SHA512
dcb28bde9d6d4726d59c3b62915992c26bbb1cd2f85a89895f8a2ada3ba11c79d0e4dcda4ebac14c257db09ccd0db05959af2db2e2032f622ed6cac8d724400f
-
SSDEEP
6144:CI8dwrN+sNKki7FYkxcpVotE2586h8YQbWTODuQckHooppgNoo9ELQbkm8UbL0:GUFtOq3Ct186eKwrc+np+Nos9km8U
Static task
static1
Behavioral task
behavioral1
Sample
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d.exe
-
Size
356KB
-
MD5
be60ea5cc4efb226b78a6a257ff112fd
-
SHA1
1bc68e94bf651242cd3ca51c34f9113992d4f9a7
-
SHA256
d7531e4728438f15714cd44a6ed353d5117b4a3b6db1ece8b945ca8eb0b1408d
-
SHA512
dcb28bde9d6d4726d59c3b62915992c26bbb1cd2f85a89895f8a2ada3ba11c79d0e4dcda4ebac14c257db09ccd0db05959af2db2e2032f622ed6cac8d724400f
-
SSDEEP
6144:CI8dwrN+sNKki7FYkxcpVotE2586h8YQbWTODuQckHooppgNoo9ELQbkm8UbL0:GUFtOq3Ct186eKwrc+np+Nos9km8U
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-