General
-
Target
0857d1c0085ba3bff25c8b1975846d8ba130c4096e2e4f664ac071b278e42b56.rar
-
Size
767KB
-
Sample
240427-bc7h8sfe88
-
MD5
88a90c7df8e6354027dc89b7e4247b82
-
SHA1
5dab15a515f41d448537f4c2c31866c0044b5ce0
-
SHA256
0857d1c0085ba3bff25c8b1975846d8ba130c4096e2e4f664ac071b278e42b56
-
SHA512
905da585a072dc943e500ef35fff25dec981bda40292b4ea7c1d9465791a11c378ec908e95949385b03cc6241e73a1b682a4a78f05441f2c7f324c18991eba83
-
SSDEEP
12288:Nyfh88LtMRBWyrSpiQZX4QROa/779RyOs0uoh+yxaPgCYVvYEBB7wb43Owk0932y:NIztkBWyryHZX4Mps0dh+yAPg1v1BHei
Static task
static1
Behavioral task
behavioral1
Sample
CHEMICAL SPECIFICATIONS.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
CHEMICAL SPECIFICATIONS.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
1.$.#t~cK;4C
Targets
-
-
Target
CHEMICAL SPECIFICATIONS.exe
-
Size
1.0MB
-
MD5
f564f9251bd76e796906aebb35ae478a
-
SHA1
e6b87808a2a2b26bcda776e971e442598402b2bd
-
SHA256
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9
-
SHA512
c979305cd640afe04056d36e327acee49d4c0fa9af77cd7ec9fa6463e7b0c145400be854deda5f8739956cdd95e3bceb44306d16f899487aee53e056f7144308
-
SSDEEP
24576:9wzV9w070Ln2qfI3F2IJ0mxhyEtWj9gBrZkpsZIjd4bnFdtJB:wV8n2q02IdnyPg1ZyGIjd4bFdtJB
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables packed with or use KoiVM
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-