General
-
Target
b575c5381b605dce02a5c93a5c3c479db2ded4d0c33f9fede1921c2a87aa185b.gz
-
Size
649KB
-
Sample
240604-b759nahb6y
-
MD5
2d0666f089efe192b7488e33c0456090
-
SHA1
da4a5610e1e6d3005e3f4320f6078b57da5a5d4d
-
SHA256
b575c5381b605dce02a5c93a5c3c479db2ded4d0c33f9fede1921c2a87aa185b
-
SHA512
d2a55b65c0a12620f6ab9998af03530de966fd771c434b7cc5319554f5d57d878a89111ebc03080262fa4e8c7666d74c178790bf783849e40d2510ff259889d3
-
SSDEEP
12288:qKBcaYmxNzvPGp7rKrRSxv7NaeKoAHLDuCYu5cITfGic8Vw:qKBdlvPA7GgparoADuCT5a8Vw
Static task
static1
Behavioral task
behavioral1
Sample
PO82107048.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
PO82107048.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
Sages101* - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.bonnyriggdentalsurgery.com.au - Port:
587 - Username:
[email protected] - Password:
Sages101*
Targets
-
-
Target
PO82107048.exe
-
Size
719KB
-
MD5
523007bc2f106dabe9057f0096aa53c3
-
SHA1
0fd9b3ec5d55916890ce35e8dd47cb6b919576dc
-
SHA256
f303624986bcad8a2b4dcf857b5fc82f54c933082c0849dd633e9c1651afde98
-
SHA512
8a2b229f91de9f9ff51af03dd472e3c9ca4e8da23e80388fd153b49ae1d586958cb7ba135918667573ff6c5c942253fe3c59ffb99ca82b92abd0d125cbebe011
-
SSDEEP
12288:JKqKt/rFfabVtOQvNHMF5iH7cawlJTDGk94h6gXjc6RGc5aJzhkZ+kR:MqKN5ibCQvRG5iH7caMDGgujTR5aJzh+
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-