General
-
Target
DarkWareLoader.exe
-
Size
2.3MB
-
Sample
240831-tvym6atdlr
-
MD5
c42b185841679c16a7aed9ccf48e0d0d
-
SHA1
0c6ad1cc0e6e8706c5913a8604d42449549c4da3
-
SHA256
03bb14890ec3a3cdf397f6af5e87d4cdf122b564a64f89c5b6672e5cbcc57b01
-
SHA512
c8ce057772905b620a9ea1910ce72410d49b327ce5256a6cf594d4a1df17bb3eed4a2b6664988c755b58ec31ee6e76ba87230edeb56c574e3b8bd0ff5c63135f
-
SSDEEP
49152:4CI01yYHlo9MayICF/Xo1U7AZecga2jp:4CIAyYFS8w3UJd
Malware Config
Targets
-
-
Target
DarkWareLoader.exe
-
Size
2.3MB
-
MD5
c42b185841679c16a7aed9ccf48e0d0d
-
SHA1
0c6ad1cc0e6e8706c5913a8604d42449549c4da3
-
SHA256
03bb14890ec3a3cdf397f6af5e87d4cdf122b564a64f89c5b6672e5cbcc57b01
-
SHA512
c8ce057772905b620a9ea1910ce72410d49b327ce5256a6cf594d4a1df17bb3eed4a2b6664988c755b58ec31ee6e76ba87230edeb56c574e3b8bd0ff5c63135f
-
SSDEEP
49152:4CI01yYHlo9MayICF/Xo1U7AZecga2jp:4CIAyYFS8w3UJd
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-