General
-
Target
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417.exe
-
Size
559KB
-
Sample
240425-ch8txsdd29
-
MD5
c07b805fafcddbc57b6e0b65576661b8
-
SHA1
685de0689697e3c3a1619167201234482a3be5b1
-
SHA256
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417
-
SHA512
205670f09f33512741a00667f183a3d8ea4b45db760aecfd5b5cd4eb1c599e7596eb23d7ba71a6f700e3a863085b109bef2066cc6122b9f2fd456ca98bf22991
-
SSDEEP
12288:W31Z8J/yo1ixRTiDPrdArieXdj9pve5p2P7r9r/+pppppppppppppppppppppppH:WX8tyHP8zdAiadj7vea1q
Static task
static1
Behavioral task
behavioral1
Sample
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417.exe
Resource
win10v2004-20240412-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
Asaprocky11 - Email To:
[email protected]
Targets
-
-
Target
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417.exe
-
Size
559KB
-
MD5
c07b805fafcddbc57b6e0b65576661b8
-
SHA1
685de0689697e3c3a1619167201234482a3be5b1
-
SHA256
dc09ed4ade0b108f9774523d064a9a074f46248f1fd42651ba6fb17820e6a417
-
SHA512
205670f09f33512741a00667f183a3d8ea4b45db760aecfd5b5cd4eb1c599e7596eb23d7ba71a6f700e3a863085b109bef2066cc6122b9f2fd456ca98bf22991
-
SSDEEP
12288:W31Z8J/yo1ixRTiDPrdArieXdj9pve5p2P7r9r/+pppppppppppppppppppppppH:WX8tyHP8zdAiadj7vea1q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-