General
-
Target
495cd136db440b3d7721b351346ea34c6cf5d6db20a038d2681953b44f1a2a86.7z
-
Size
662KB
-
Sample
240612-brw12sxerk
-
MD5
ba8496e733e3ac1b0f517b427d53e378
-
SHA1
508663a5aadb42b7f813d92d49b01318f1e23119
-
SHA256
495cd136db440b3d7721b351346ea34c6cf5d6db20a038d2681953b44f1a2a86
-
SHA512
b15779d05923478ecfb8cb37ece8d1c1cf37044ecdca4fdd79795c59e0dceea9c3fe91debe94abcbdbca1107cfec30fab3d006afd363572c156d0047941c6603
-
SSDEEP
12288:y8UER4dMlpy8eeQtDZxjXnvCbXGNMC3ZchWGtxPR6gWmf2wrk3zk:y8viMzypeQ3xriWyJhWKZy9ZY
Static task
static1
Behavioral task
behavioral1
Sample
PO 077-57676135.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PO 077-57676135.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bredband2.com - Port:
587 - Username:
[email protected] - Password:
550712hJ - Email To:
[email protected]
Targets
-
-
Target
PO 077-57676135.exe
-
Size
714KB
-
MD5
f8fe6881e21dcba5b78d693f96f56c6f
-
SHA1
15bad9cbbc0bb09e66ab78929a5ce632da652b78
-
SHA256
4210e25c33df901302fe42704fcd0832729e4efade9da5abe6a8f2512244024f
-
SHA512
e0bf8b7105cc94bb126db2acabf321eccbcc26852ffb19c754bbb8f733d135c877c92adf05fc3c3e4efe923ee38ba26cfd25424b53c46e92e6b1381d64ebb77c
-
SSDEEP
12288:wX0pxhV36Di8BtLExdWe2kD3nmXbvtbZGh/C3f+hwGsxNPigJNS2wrk80:tBFKKxYe2WnaFItrhwztlfO
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-