General
-
Target
601fbc5c07995ae23253ab8b45b790f7bd35305b4282fde19a3eedf158e60d07.exe
-
Size
1.1MB
-
Sample
240612-bw1vssxgkf
-
MD5
1249880fdd0d3ff27ad954b77fee4020
-
SHA1
0270dad410e1cdd4020a5505431b5b39dc168f9c
-
SHA256
601fbc5c07995ae23253ab8b45b790f7bd35305b4282fde19a3eedf158e60d07
-
SHA512
340ec8cba4bbaf8cadd5a0288cb020b78c9f4a828818ebc0866db9c2e0b289417dc905f72c06ab8e279bee22028866bfafbbb57d51a2b8ef2f141830a3d75ad6
-
SSDEEP
24576:vAHnh+eWsN3skA4RV1Hom2KXMmHawZWMv00QItrCxw1Z6We5:Sh+ZkldoPK8YawZWMc3ItrC0Ze
Static task
static1
Behavioral task
behavioral1
Sample
601fbc5c07995ae23253ab8b45b790f7bd35305b4282fde19a3eedf158e60d07.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
601fbc5c07995ae23253ab8b45b790f7bd35305b4282fde19a3eedf158e60d07.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.laboratoriosvilla.com.mx - Port:
587 - Username:
[email protected] - Password:
WZ,2pliw#L)D - Email To:
[email protected]
Targets
-
-
Target
601fbc5c07995ae23253ab8b45b790f7bd35305b4282fde19a3eedf158e60d07.exe
-
Size
1.1MB
-
MD5
1249880fdd0d3ff27ad954b77fee4020
-
SHA1
0270dad410e1cdd4020a5505431b5b39dc168f9c
-
SHA256
601fbc5c07995ae23253ab8b45b790f7bd35305b4282fde19a3eedf158e60d07
-
SHA512
340ec8cba4bbaf8cadd5a0288cb020b78c9f4a828818ebc0866db9c2e0b289417dc905f72c06ab8e279bee22028866bfafbbb57d51a2b8ef2f141830a3d75ad6
-
SSDEEP
24576:vAHnh+eWsN3skA4RV1Hom2KXMmHawZWMv00QItrCxw1Z6We5:Sh+ZkldoPK8YawZWMc3ItrC0Ze
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-