General
-
Target
58d1cf060d10e302a7cb4527dbbbc547311e5166e0a34871356024c444ee441d.exe
-
Size
1.1MB
-
Sample
240430-br4e5agb92
-
MD5
271556a6e502efc394f570f3c57c8596
-
SHA1
74c9c4d81c32f7e2c0b4cdc0a21bc916255b7249
-
SHA256
58d1cf060d10e302a7cb4527dbbbc547311e5166e0a34871356024c444ee441d
-
SHA512
dcf7c92c8aa85518edddb95b01935b805fb59b36c7c8b013ae51fa6afc176fb9657fa731dfb421193d0b433f0ea139de2aeeec96d48673866f69b71410826735
-
SSDEEP
24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8atQ3XBrIgKm3pW:rTvC/MTQYxsWR7atQ39I+Z
Static task
static1
Behavioral task
behavioral1
Sample
58d1cf060d10e302a7cb4527dbbbc547311e5166e0a34871356024c444ee441d.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
58d1cf060d10e302a7cb4527dbbbc547311e5166e0a34871356024c444ee441d.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Targets
-
-
Target
58d1cf060d10e302a7cb4527dbbbc547311e5166e0a34871356024c444ee441d.exe
-
Size
1.1MB
-
MD5
271556a6e502efc394f570f3c57c8596
-
SHA1
74c9c4d81c32f7e2c0b4cdc0a21bc916255b7249
-
SHA256
58d1cf060d10e302a7cb4527dbbbc547311e5166e0a34871356024c444ee441d
-
SHA512
dcf7c92c8aa85518edddb95b01935b805fb59b36c7c8b013ae51fa6afc176fb9657fa731dfb421193d0b433f0ea139de2aeeec96d48673866f69b71410826735
-
SSDEEP
24576:rqDEvCTbMWu7rQYlBQcBiT6rprG8atQ3XBrIgKm3pW:rTvC/MTQYxsWR7atQ39I+Z
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-