General
-
Target
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9.exe
-
Size
1.0MB
-
Sample
240427-bpdfxsgg81
-
MD5
f564f9251bd76e796906aebb35ae478a
-
SHA1
e6b87808a2a2b26bcda776e971e442598402b2bd
-
SHA256
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9
-
SHA512
c979305cd640afe04056d36e327acee49d4c0fa9af77cd7ec9fa6463e7b0c145400be854deda5f8739956cdd95e3bceb44306d16f899487aee53e056f7144308
-
SSDEEP
24576:9wzV9w070Ln2qfI3F2IJ0mxhyEtWj9gBrZkpsZIjd4bnFdtJB:wV8n2q02IdnyPg1ZyGIjd4bFdtJB
Static task
static1
Behavioral task
behavioral1
Sample
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
1.$.#t~cK;4C
Targets
-
-
Target
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9.exe
-
Size
1.0MB
-
MD5
f564f9251bd76e796906aebb35ae478a
-
SHA1
e6b87808a2a2b26bcda776e971e442598402b2bd
-
SHA256
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9
-
SHA512
c979305cd640afe04056d36e327acee49d4c0fa9af77cd7ec9fa6463e7b0c145400be854deda5f8739956cdd95e3bceb44306d16f899487aee53e056f7144308
-
SSDEEP
24576:9wzV9w070Ln2qfI3F2IJ0mxhyEtWj9gBrZkpsZIjd4bnFdtJB:wV8n2q02IdnyPg1ZyGIjd4bFdtJB
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables packed with or use KoiVM
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-