General
-
Target
49a4f4ea4426e028c7cc2cab9d05cbfb0f7c7921cb03b3b357527b57126a7d8a.7z
-
Size
354KB
-
Sample
240430-bpfw2sga94
-
MD5
85a895d4ee4af817c738d01394ed524c
-
SHA1
a833b611d51ea84f638366ef32ea4769f60743c1
-
SHA256
49a4f4ea4426e028c7cc2cab9d05cbfb0f7c7921cb03b3b357527b57126a7d8a
-
SHA512
266083d1d34e7ac7e23a5f2e6b380fafc3d1acb8529b7e2571561f8d00c51f388a9c15a5feb1fe00d8f000138743d766ca8bbe1224a4684ca975075ad833b00c
-
SSDEEP
6144:iXcy5xBUNhu8e33ckXibCgP6Jti2NjG6DDjnmHjADzLwq6Zt:iM5Be33ckyfgfNjG6HjnmHEXkBj
Static task
static1
Behavioral task
behavioral1
Sample
purchase_order T&B19-20PO128.pdf.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
purchase_order T&B19-20PO128.pdf.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
purchase_order T&B19-20PO128.pdf.exe
-
Size
539KB
-
MD5
9eec1064506c06de9bbaf14f53b7c5d3
-
SHA1
496020ae9f009e860cc34e4f7f589752205d0d5a
-
SHA256
d1248b99698d1efcfddacc89384b3df62e8dce35251d7a96dbb13cd31b30f853
-
SHA512
045cce9c17fd98029965655140ce795be9f50d9273c0d95302f3b78d4a0712996ce751c7e62ddf5b49582e515b1c2b645a08b91f04aa6a9b69b5db868bdb5e87
-
SSDEEP
12288:ncXeKbnWfOOCA+YzSFzRqoYv4MP7r9r/+ppppppppppppppppppppppppppppp0G:nPVC7Bzu1q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-