General
-
Target
7505bdf96dd102139d059cd1e0ccf938dd4e4ec1626b14d4ccbb6cf0cf09c669.rar
-
Size
767KB
-
Sample
240427-bt5e7sgb36
-
MD5
6e6c90594ca05dddeb1398f2c1fd1226
-
SHA1
e0d95d889f2d4e5ba2349e98755024eb2a6f91f3
-
SHA256
7505bdf96dd102139d059cd1e0ccf938dd4e4ec1626b14d4ccbb6cf0cf09c669
-
SHA512
8f023ec8c222637b243159ab857e742d3e49e0f635a3166cbd9de9e482747766b13c9e24f8853f564655cf072f1a95947ab639e6698273576d88cb67c0746084
-
SSDEEP
12288:kD7Vte+LMx+7MMCdIn8xynpsXYTYSDQ2/HKTm/9ZJhd4W3py4+77nO/koS+jqmXx:kDbe+LMxoMhZxeoV6J/qW3J15y4+7qGI
Static task
static1
Behavioral task
behavioral1
Sample
Remittance_Advice 26042024.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Remittance_Advice 26042024.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.innomedjsc.com - Port:
587 - Username:
[email protected] - Password:
s]~5ai)IFpr- - Email To:
[email protected]
Targets
-
-
Target
Remittance_Advice 26042024.exe
-
Size
837KB
-
MD5
f78fac7fbb75ddcc67dd7cb5b6b6ea97
-
SHA1
a9b9c8f3121cb128882d3e59b7ba2b045ce0792f
-
SHA256
cd3e530bfaf604d4e59e78d8d8761ab63f0d3d57beff38c1f4802993226af6bb
-
SHA512
ec39ce438175b8e431f28ec559f707fd631c66f7e9c4160e28639e12930be14163439b2f03b834433cf1cebcad0e87fa93028ce70148103bff09ee664970341c
-
SSDEEP
12288:9bqnHvjNIrpf9rN/mc/CbTrMSrJjxddkDEb8LjkyUtGWpGwvNqKdzPjzow4bkR:9uPjKr5BNDKvBn0kySRpGwoKFzow7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Suspicious use of SetThreadContext
-