General
-
Target
57b28449a18693f09f34ba59a45d45075fab204b53510154a8b4325c25011d11.7z
-
Size
443KB
-
Sample
240519-brfdasba84
-
MD5
a50c4821611a79ba09fe7bbca75e4afb
-
SHA1
1a1922f4dfa06e555e0ca535c11186a3173eee8d
-
SHA256
57b28449a18693f09f34ba59a45d45075fab204b53510154a8b4325c25011d11
-
SHA512
ae58e4ea4c77b974849c4b49f6953ae1041ba185501825df1b9eadeed61b130f07d9a01258dbc9661f3453034a9aec49678f2d04de7af7e954ef23e1a1b0a415
-
SSDEEP
12288:uXq3wupwFohP2Lk6GxkSEWCB6i1DohtpqKJv9KuUV1+:SqAupHhP2nSQ2h2K7Kh+
Static task
static1
Behavioral task
behavioral1
Sample
New order.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
New order.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
New order.exe
-
Size
937KB
-
MD5
edff6ebaba458e4a2d35de645fa2f104
-
SHA1
549076de88e051109d387169f7e152864099c474
-
SHA256
b3ac3ae44c087c5dc5d42c5ea8531e82f47cc6740da571a7c60624dfdb436469
-
SHA512
91cd2f7e7e292602194cf3a400fc01e9fcf882c83e84b8997910d1d2d749ba5e423b39a25b146f3f87377b1a2256b1c8723d790aa4628f29a480f644cdb18fdf
-
SSDEEP
24576:k+0MVCW4TGOIQ3JEcTyeOOYJExtGfVH8k1q:k+VQZEcTnOuxtGfVH8t
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-