General
-
Target
e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e.exe
-
Size
1.0MB
-
Sample
240519-cydcysdg7v
-
MD5
dc8a137a9917260473120aa235f69f5f
-
SHA1
dd74caccc6c2ab38da7f4171d1a64ae506f185b8
-
SHA256
e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e
-
SHA512
de49ba1a489a488fa15262869f49944a3a46f1d2b2a1fc1e55b7e9914b92d892b5e22bc0230a7e8b7dd072f11753d7d683c4d49cb993d85eff23a92acdc61c19
-
SSDEEP
12288:MUfbdTxwbed/QIA8EmCCZPyXNDxaMejIQv7iglCqRoeuIIymiR8gZMRnObwZNtV:MUfhTFQBeCHND/j87j8oIhiR8gv69
Static task
static1
Behavioral task
behavioral1
Sample
e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e.exe
Resource
win7-20240220-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tekserendustriyel.com - Port:
21 - Username:
[email protected] - Password:
chuzy2024@
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.tekserendustriyel.com - Port:
21 - Username:
[email protected] - Password:
chuzy2024@
Targets
-
-
Target
e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e.exe
-
Size
1.0MB
-
MD5
dc8a137a9917260473120aa235f69f5f
-
SHA1
dd74caccc6c2ab38da7f4171d1a64ae506f185b8
-
SHA256
e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e
-
SHA512
de49ba1a489a488fa15262869f49944a3a46f1d2b2a1fc1e55b7e9914b92d892b5e22bc0230a7e8b7dd072f11753d7d683c4d49cb993d85eff23a92acdc61c19
-
SSDEEP
12288:MUfbdTxwbed/QIA8EmCCZPyXNDxaMejIQv7iglCqRoeuIIymiR8gZMRnObwZNtV:MUfhTFQBeCHND/j87j8oIhiR8gv69
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables packed with or use KoiVM
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-