General
-
Target
e0ece16177937a72af5678f92fa79d6a9fd01213b33663b46c6106aa3189eb96
-
Size
371KB
-
Sample
240523-ek89ksdc2s
-
MD5
2d3cfe702b5ed5064a086a7c63c9c853
-
SHA1
b74a924d93f66f0cf71023406a6959afe7a7c385
-
SHA256
e0ece16177937a72af5678f92fa79d6a9fd01213b33663b46c6106aa3189eb96
-
SHA512
cc45573b6c805763765b884d3ffa309bc4fd8f83508275a3323372d668afde693894aaa23840da52509054ca726a2ee1ec43fedab36fed9cb57437eaddf274e0
-
SSDEEP
6144:7IxY3q6emyxIeCc6LK+hRz9Fl7nNjknWlajhgVZfwJPH1Q+9fRQK1oErL:sxY66cMc6LL9v7uWrZfayYfRr1oK
Static task
static1
Behavioral task
behavioral1
Sample
e0ece16177937a72af5678f92fa79d6a9fd01213b33663b46c6106aa3189eb96.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e0ece16177937a72af5678f92fa79d6a9fd01213b33663b46c6106aa3189eb96.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6760916656:AAFTROumNysgqsjoqAvyBqjbR9y3VV4we2Y/
Targets
-
-
Target
e0ece16177937a72af5678f92fa79d6a9fd01213b33663b46c6106aa3189eb96
-
Size
371KB
-
MD5
2d3cfe702b5ed5064a086a7c63c9c853
-
SHA1
b74a924d93f66f0cf71023406a6959afe7a7c385
-
SHA256
e0ece16177937a72af5678f92fa79d6a9fd01213b33663b46c6106aa3189eb96
-
SHA512
cc45573b6c805763765b884d3ffa309bc4fd8f83508275a3323372d668afde693894aaa23840da52509054ca726a2ee1ec43fedab36fed9cb57437eaddf274e0
-
SSDEEP
6144:7IxY3q6emyxIeCc6LK+hRz9Fl7nNjknWlajhgVZfwJPH1Q+9fRQK1oErL:sxY66cMc6LL9v7uWrZfayYfRr1oK
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-