General
-
Target
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d.exe
-
Size
1.0MB
-
Sample
240430-cac3aagh89
-
MD5
bebe5907e39cdbd2a097c0325f6b12ed
-
SHA1
8ebfa77700a40d7935e41c376c0f0962c62e1c5a
-
SHA256
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d
-
SHA512
d107f99e99966d4f21e0ca363e80fe825cf3edc067eacf3eda68e1d8df846168809497d57336210070ddc68d9e4eb375f0d0f03bf7670e5cdf35817afd2d701c
-
SSDEEP
24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaNdYpcqO6p5:ph+ZkldoPK8YaNCOo
Static task
static1
Behavioral task
behavioral1
Sample
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Targets
-
-
Target
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d.exe
-
Size
1.0MB
-
MD5
bebe5907e39cdbd2a097c0325f6b12ed
-
SHA1
8ebfa77700a40d7935e41c376c0f0962c62e1c5a
-
SHA256
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d
-
SHA512
d107f99e99966d4f21e0ca363e80fe825cf3edc067eacf3eda68e1d8df846168809497d57336210070ddc68d9e4eb375f0d0f03bf7670e5cdf35817afd2d701c
-
SSDEEP
24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaNdYpcqO6p5:ph+ZkldoPK8YaNCOo
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-