General
-
Target
0cdd89801edc2304d208f9dca70cbe0248f5cf55876c827a275a57560fa396fe.exe
-
Size
702KB
-
Sample
240604-bdqxwagd79
-
MD5
cfaef1fbcfc3a09ccc8baf621b681025
-
SHA1
1a54605adbd8e04175831efd65076aed86962f1e
-
SHA256
0cdd89801edc2304d208f9dca70cbe0248f5cf55876c827a275a57560fa396fe
-
SHA512
13d4b2f61b8721565b33fd1ada0a68fdbef0ae88237a82e997ffde31a7ea26978ee15fe4479531ec16e9b330637fba4869f40bd48d18cae933ccade83fbb090b
-
SSDEEP
12288:BgcKt/rFfamxJ5nrZ0roAaNziw1htpEs8AOKkTzfD1KoRi16Y9nw:ecKN5imz5eAXGs8AOKG71KoM1/w
Static task
static1
Behavioral task
behavioral1
Sample
0cdd89801edc2304d208f9dca70cbe0248f5cf55876c827a275a57560fa396fe.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0cdd89801edc2304d208f9dca70cbe0248f5cf55876c827a275a57560fa396fe.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Password: )NYyffR0 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
Password: )NYyffR0
Targets
-
-
Target
0cdd89801edc2304d208f9dca70cbe0248f5cf55876c827a275a57560fa396fe.exe
-
Size
702KB
-
MD5
cfaef1fbcfc3a09ccc8baf621b681025
-
SHA1
1a54605adbd8e04175831efd65076aed86962f1e
-
SHA256
0cdd89801edc2304d208f9dca70cbe0248f5cf55876c827a275a57560fa396fe
-
SHA512
13d4b2f61b8721565b33fd1ada0a68fdbef0ae88237a82e997ffde31a7ea26978ee15fe4479531ec16e9b330637fba4869f40bd48d18cae933ccade83fbb090b
-
SSDEEP
12288:BgcKt/rFfamxJ5nrZ0roAaNziw1htpEs8AOKkTzfD1KoRi16Y9nw:ecKN5imz5eAXGs8AOKG71KoM1/w
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-