General
-
Target
adc82b873e8b21669e2d4cd73377a61e1d002ca8536502160603434424c13e02.zip
-
Size
1.2MB
-
Sample
240604-b69wfshg89
-
MD5
44c2e011bdabe4e9fc09a4029a5c6c1b
-
SHA1
cac39bdb40b24f5b662b4928fc0ea1bd2faee903
-
SHA256
adc82b873e8b21669e2d4cd73377a61e1d002ca8536502160603434424c13e02
-
SHA512
0f3635e880de56ddcf5b8fcb27f5e35dd97728b5bd3186c194eee682e8a8983f180da9fb1e54841491af0f88fba7a920a99993f6a231cc65686b3410b47e449f
-
SSDEEP
24576:HkJJZxq8kV1K/wshQdUNJA6kTumSH/c0xFfQCYpTfOL7Gy5dw56SqzmhaMjdGkuA:Hhk/wshjRka3c0xFfKT2LqygFqQasuu5
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE07.bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
INVOICE07.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
INVOICE07.bat
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
INVOICE07.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
InvoiceConfirmation3.bat
Resource
win7-20240221-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7135973864:AAGVqtrGeLysm0FYcz68sQIn3nL2a6CxjMc/
Targets
-
-
Target
INVOICE07.bat
-
Size
540KB
-
MD5
1952a79579272db52a814baf57821f90
-
SHA1
3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3
-
SHA256
e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1
-
SHA512
088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93
-
SSDEEP
12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
INVOICE07.bat
-
Size
540KB
-
MD5
1952a79579272db52a814baf57821f90
-
SHA1
3fcfb6c3d2c08e840d758e905c2f304ec39ca9f3
-
SHA256
e575145995f725fbaecc1b95c73ec0fbdad3117e1f492dc8d93ad076f5ad2da1
-
SHA512
088de9db26c4eda94bb71a5379118418c06bcb46d8ccce7d1da2719c8d742e8347a4dfde9f73afbb362ef461a0af159408d9150adc8653f6e5a3507408eb6a93
-
SSDEEP
12288:xToPjPt8r1cxIMTOQo5Xq4PpsXis9Jhqd8FJVqzT+53xH:xeWrOa4UaYpsXlJIdwSIZ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
InvoiceConfirmation3.bat
-
Size
540KB
-
MD5
af29b01f9517f84f7d1794a3c5a987d5
-
SHA1
17f8776ea38c0eb07915cf1ab4e52a2c87ec70cd
-
SHA256
18ff8049e5eac05d3f1bf7d414664845edd76f5393630aa463566476e45b9985
-
SHA512
29afff43ff59985eb4d65463cf7b8eaa6a82ae508cce66222707cab084d25bed77a45b7f85ec13e91545827f76bde014794b7ccf77f0df44b815df6b8d76953d
-
SSDEEP
12288:2Nu+DeVdU51H++iCBdiQslfVMLOzcU+MEJXMHwXUIXkZsCSbluwG9XJec8SmC:t+aVK51HzBdeqLOIM8XfUXFYk7
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-