General
-
Target
0220e969f9fd1e5cadd143f94dc7fdfe26971096227ff4005a8bf96bb316c4c2.exe
-
Size
855KB
-
Sample
240604-bcyakagd43
-
MD5
9288139da2b1315965fe2b044104150e
-
SHA1
a44bb593d403c6d2b112acd8ae11322df909fe44
-
SHA256
0220e969f9fd1e5cadd143f94dc7fdfe26971096227ff4005a8bf96bb316c4c2
-
SHA512
b91346f8bbba383c7f037963a3f4abfb2436dcab2b5fdf00af8635a6401042d44b0fa37d14c8b80ca4d10abc55606f74c575c43c9999317a830f606d481310be
-
SSDEEP
12288:vMYeaky/Qa0KP1x+kPwu9JKzf8FLt/rFfaoLen69wkogNohd1mzw8WnIdY7Qb9F1:vMYehzfUN5irUobdczlWeRN/znUwb
Static task
static1
Behavioral task
behavioral1
Sample
0220e969f9fd1e5cadd143f94dc7fdfe26971096227ff4005a8bf96bb316c4c2.exe
Resource
win7-20240508-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.jeepcommerce.rs - Port:
21 - Username:
[email protected] - Password:
Cgn+Udqt0F%y
Targets
-
-
Target
0220e969f9fd1e5cadd143f94dc7fdfe26971096227ff4005a8bf96bb316c4c2.exe
-
Size
855KB
-
MD5
9288139da2b1315965fe2b044104150e
-
SHA1
a44bb593d403c6d2b112acd8ae11322df909fe44
-
SHA256
0220e969f9fd1e5cadd143f94dc7fdfe26971096227ff4005a8bf96bb316c4c2
-
SHA512
b91346f8bbba383c7f037963a3f4abfb2436dcab2b5fdf00af8635a6401042d44b0fa37d14c8b80ca4d10abc55606f74c575c43c9999317a830f606d481310be
-
SSDEEP
12288:vMYeaky/Qa0KP1x+kPwu9JKzf8FLt/rFfaoLen69wkogNohd1mzw8WnIdY7Qb9F1:vMYehzfUN5irUobdczlWeRN/znUwb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-