General
-
Target
d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186.exe
-
Size
421KB
-
Sample
240430-cc3eyshe9z
-
MD5
7d862c6c31821657aa0877079a5c4be5
-
SHA1
2a97fb40ca8824d4e6aa1a581e3f47290490d67c
-
SHA256
d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186
-
SHA512
f36c4d703667b2e19fa2d4952eabea31c112977d96e13b61b7a2c95e63b821fa75ef0f32a524c130824481ab9f4319b97e491a87b155e64a9be7130760f76f57
-
SSDEEP
6144:/9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNL6Cac1YYwAL01r/x47yXnp1nOAp:J0VEsvPZG/XU2gYVALy/O7anp1OUXd
Static task
static1
Behavioral task
behavioral1
Sample
d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
neontechvendors.com - Port:
587 - Username:
[email protected] - Password:
Mustfly@90 - Email To:
[email protected]
Targets
-
-
Target
d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186.exe
-
Size
421KB
-
MD5
7d862c6c31821657aa0877079a5c4be5
-
SHA1
2a97fb40ca8824d4e6aa1a581e3f47290490d67c
-
SHA256
d49345704d39dce3913c9b225eaa3c1fe2345e789835d2a86e80617c123dc186
-
SHA512
f36c4d703667b2e19fa2d4952eabea31c112977d96e13b61b7a2c95e63b821fa75ef0f32a524c130824481ab9f4319b97e491a87b155e64a9be7130760f76f57
-
SSDEEP
6144:/9X0GEh9EyWfqG2ts8KYV/i43TsgyT4O/f/KNL6Cac1YYwAL01r/x47yXnp1nOAp:J0VEsvPZG/XU2gYVALy/O7anp1OUXd
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
34442e1e0c2870341df55e1b7b3cccdc
-
SHA1
99b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
-
SHA256
269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
-
SHA512
4a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51
-
SSDEEP
192:jPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4I:u7VpNo8gmOyRsVc4
Score3/10 -
-
-
Target
$PLUGINSDIR/nsExec.dll
-
Size
6KB
-
MD5
ac0f93b2dec82e9579bff14c8572a6c8
-
SHA1
6460244317cbb77e342adb3561ec3acb496c84d5
-
SHA256
3aa8e0abadefea2de58281198acfe48713a1d5b43aea5619f563cea098e9fd34
-
SHA512
8055a6af150c45547927499f9cbf645d7f39c8e4f9caff4726fd711d2401abca01a79837095e5752b9f57b06446973ea6506796f2223bdb0179243d6e0575bd2
-
SSDEEP
96:5OBtEB2flLkatAthPZJoi9jpfW/er6cBbcB/NFyVOHd0+u3wEX:5hB2flXAVJtjf6cBbcB/N8Ved0PJ
Score3/10 -