General
-
Target
3ba2d8ddb27f996939d08f47da5e2837778b77c015c288dde593cfc2df3a4be5.7z
-
Size
301KB
-
Sample
240524-bj5m8aga22
-
MD5
82c172b8b01a656140709919aa699d91
-
SHA1
81e4611cde12f02648004c2063ed32fc14e27ebb
-
SHA256
3ba2d8ddb27f996939d08f47da5e2837778b77c015c288dde593cfc2df3a4be5
-
SHA512
87a35cd19b4819ee8d4ebc4d2f9cc26506502ff3e30afa1ec36cd509a0546b272268dff68bc7a6181771b3402b31ac78f2e0970b42f4d3c716782afea6e756ca
-
SSDEEP
6144:VERva6GZBtXZ7L5wAzT1GlwpbPtK/JBoxqerNvkzegl1ZeUz3ses:VnBZ7qAzTQwnoBoxqe5vS7l1Zf3ps
Static task
static1
Behavioral task
behavioral1
Sample
DAMAGE CARGO.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
DAMAGE CARGO.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
DAMAGE CARGO.exe
-
Size
498KB
-
MD5
f53753567d26f08858674d27c2222e8d
-
SHA1
06f8efd5a96b625d8966df80ee3b8f76fb3d4b0e
-
SHA256
5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba
-
SHA512
900b1d005e1c5ad4ad9980af5ec495c009e2a32200fd0190e56746796acac4e68f66d55a030395c938b387eaee9c34a490194ae6bc2bca4e1e4b265a46192bb2
-
SSDEEP
12288:imo2oiXB/6DuKf8I6niPW/Q5f7rzYP7r9r/+pppppppppppppppppppppppppppv:73XlnKf8Uayo1q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-