General
-
Target
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0.exe
-
Size
767KB
-
Sample
240619-bhh3ts1are
-
MD5
ae54788d08becd55e2b37644bd3a415f
-
SHA1
1cfa4e42bfdb310216232b98078058613a22bd23
-
SHA256
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0
-
SHA512
c12a405c4cc75c18d804c00300f4de326c1e32ddbd7dc72d11fc0ebd75aa20a59198639b7b39715bdb09e5f57285e7cc2d0118a43ea9f89dd18f956fdc0951c7
-
SSDEEP
12288:nbpD3HH3DI+jiNu1r3jhWvk4Zdmm8gJgoDxJ/27+LHeMbGIfauCRUDJM:bpjH3DI2DAvkwbvgoDxESCMbGIyTUFM
Static task
static1
Behavioral task
behavioral1
Sample
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0.exe
Resource
win7-20240508-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mahesh-ent.com - Port:
587 - Username:
[email protected] - Password:
M@hesh3981 - Email To:
[email protected]
Targets
-
-
Target
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0.exe
-
Size
767KB
-
MD5
ae54788d08becd55e2b37644bd3a415f
-
SHA1
1cfa4e42bfdb310216232b98078058613a22bd23
-
SHA256
19b604df73a21665949858204d634fc31077cc0b1c0c02f53712b2cf3b5e8bc0
-
SHA512
c12a405c4cc75c18d804c00300f4de326c1e32ddbd7dc72d11fc0ebd75aa20a59198639b7b39715bdb09e5f57285e7cc2d0118a43ea9f89dd18f956fdc0951c7
-
SSDEEP
12288:nbpD3HH3DI+jiNu1r3jhWvk4Zdmm8gJgoDxJ/27+LHeMbGIfauCRUDJM:bpjH3DI2DAvkwbvgoDxESCMbGIyTUFM
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-