General
-
Target
47361c18c953725b9469ef9a229e109e981bdd1b2673f7ad582d98d1447110c3.exe
-
Size
661KB
-
Sample
240430-bn55jsge5w
-
MD5
ff46c0bcefe3460241f6291f551c461a
-
SHA1
cde992ddcc16e2c42d39c89c48af840e354a0f29
-
SHA256
47361c18c953725b9469ef9a229e109e981bdd1b2673f7ad582d98d1447110c3
-
SHA512
f518d63316294e291449206ff09897decef7275d235e57bc5c6fd98113f9458bd6c1c8807a12b015bf6238fa0b663cce18af80566916172554a28e62807a3525
-
SSDEEP
12288:qRB778QCdqBOxWqLOZhxqAA8qmZ7WKGYBI0pdY:GB8dqq8qmZrg
Static task
static1
Behavioral task
behavioral1
Sample
47361c18c953725b9469ef9a229e109e981bdd1b2673f7ad582d98d1447110c3.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
47361c18c953725b9469ef9a229e109e981bdd1b2673f7ad582d98d1447110c3.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
qMkzJ0n1W2XEuTx - Email To:
[email protected]
Targets
-
-
Target
47361c18c953725b9469ef9a229e109e981bdd1b2673f7ad582d98d1447110c3.exe
-
Size
661KB
-
MD5
ff46c0bcefe3460241f6291f551c461a
-
SHA1
cde992ddcc16e2c42d39c89c48af840e354a0f29
-
SHA256
47361c18c953725b9469ef9a229e109e981bdd1b2673f7ad582d98d1447110c3
-
SHA512
f518d63316294e291449206ff09897decef7275d235e57bc5c6fd98113f9458bd6c1c8807a12b015bf6238fa0b663cce18af80566916172554a28e62807a3525
-
SSDEEP
12288:qRB778QCdqBOxWqLOZhxqAA8qmZ7WKGYBI0pdY:GB8dqq8qmZrg
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-