General
-
Target
413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f.hta
-
Size
8KB
-
Sample
240430-bm6dxsgd81
-
MD5
faf3762a6e994f4e79d87d817ce62e16
-
SHA1
85517ba95bed123d356ce026192d913acf6e97ea
-
SHA256
413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f
-
SHA512
b7522895d2d72d1980184b0d0dc19d1e22082311bfbbe77ead3e9039c650dd5527970c86a74982c87e05255d18e7c6b016187747b4b99be0b155ca351ecf1c92
-
SSDEEP
192:pFH6Jy7ik4n2AV2PP0PFDQlHfCe4z9dfzWQ/0EY2ibM0wTstRA:pj472EPFy/Ce4znfzWQ//JiM5Te+
Static task
static1
Behavioral task
behavioral1
Sample
413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f.hta
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f.hta
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.petrolic-eg.com - Port:
21 - Username:
outcome - Password:
Random@1245
Targets
-
-
Target
413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f.hta
-
Size
8KB
-
MD5
faf3762a6e994f4e79d87d817ce62e16
-
SHA1
85517ba95bed123d356ce026192d913acf6e97ea
-
SHA256
413edb098cc00d5456c57941a10faf691f8ca3266ae6d8538636b7ea9bcf660f
-
SHA512
b7522895d2d72d1980184b0d0dc19d1e22082311bfbbe77ead3e9039c650dd5527970c86a74982c87e05255d18e7c6b016187747b4b99be0b155ca351ecf1c92
-
SSDEEP
192:pFH6Jy7ik4n2AV2PP0PFDQlHfCe4z9dfzWQ/0EY2ibM0wTstRA:pj472EPFy/Ce4znfzWQ//JiM5Te+
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-