General
-
Target
49a656f7ee544b5f21726a0f0f5469bd7a15aaa4615b53c4b0dac92b4aea308b.img
-
Size
562KB
-
Sample
240430-bpjb6sga97
-
MD5
0f3c6f0d2eccbcdc76e847ea0f62f15e
-
SHA1
4baf2036c231dc9a0fba13e6d7d551b27b5b4194
-
SHA256
49a656f7ee544b5f21726a0f0f5469bd7a15aaa4615b53c4b0dac92b4aea308b
-
SHA512
a3efe41ce4ae7bd4689fe41c6e1cdb41f8cb4227eae4695a961c00d3305562d59e5bc25f4221c230052a478a505ed6118f95bb09468ffc3dd282be3e849aa1f5
-
SSDEEP
6144:2Z6ySmRH93qXyS8KevIl/8/vpwO4XMGdKf4xU0PrH7KjnvQWTk85KqZIMHYJqE4E:ZySuRbpGv64vPrHmnkb+NHYqXZ4fa
Static task
static1
Behavioral task
behavioral1
Sample
Ref227395588_pdf.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Ref227395588_pdf.scr
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
gator3220.hostgator.com - Port:
587 - Username:
[email protected] - Password:
28#75@ts76#V1F8h - Email To:
[email protected]
Targets
-
-
Target
Ref227395588_pdf.scr
-
Size
505KB
-
MD5
88db09b12a478cac87ed465252c6c8f7
-
SHA1
0e3acd2b568bd58fcfd2e914eff2c982deb55258
-
SHA256
0f0b721073a35fe3e6b37d75582704acd5bdc1b3d71343e74d6fec59ac932deb
-
SHA512
7d228d662e3271920094e345d36597c2e6c880d12fc3cef8c3f1206711a0b49f93d2275b5527d8ce88c1e3772d0b011161d1bd16688cb9db28471a75b949ab67
-
SSDEEP
6144:+Z6ySmRH93qXyS8KevIl/8/vpwO4XMGdKf4xU0PrH7KjnvQWTk85KqZIMHYJqE4E:RySuRbpGv64vPrHmnkb+NHYqXZ4fa
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-