General
-
Target
e2ca6cf4652db006b200d39176a41ae8_JaffaCakes118
-
Size
1020KB
-
Sample
240915-srtdla1bjk
-
MD5
e2ca6cf4652db006b200d39176a41ae8
-
SHA1
5cce128cdcc5348ff3a9d8296407a4bfa0d96c54
-
SHA256
4a604a1400c389ddbd23c6f316bcd77ea820f3a00eab459678a39847ebbc82a6
-
SHA512
2123a47651398688ca69c5c3261be43aec782aa107978fa2937d63ba5483c58602a7d9f059b720d52a8f2016a94b695ab7c1578400157b90184a8f90fe1a443e
-
SSDEEP
6144:pZm49UNNMYc+5TdyfZjx1WWiOXbSHtBt3pt7MTa:n9VA5TuZjx1WeGBt3/
Static task
static1
Behavioral task
behavioral1
Sample
Scanned copy invoice.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Scanned copy invoice.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ereglitso.org.tr - Port:
587 - Username:
[email protected] - Password:
=itbvqD+KGPp
Targets
-
-
Target
Scanned copy invoice.exe
-
Size
429KB
-
MD5
2bffa0ee481c114fbae3dd11de379253
-
SHA1
32192f93fa6650bfc4eb01c0a2731c6fcc3050c3
-
SHA256
5e8cf7376d24c9637309a847c15ca2fc080d016d91b656dd8adc61f3d7d71abc
-
SHA512
1d1d74155b7ce5efab02e5fbc6f913daac6afe2645880feb70a65d0dfa47508e514f6ba52d059911f4a330bf99f30e6f1a1f7844f53a1b2468568f8c05817a7b
-
SSDEEP
6144:DZm49UNNMYc+5TdyfZjx1WWiOXbSHtBt3pt7MTa:19VA5TuZjx1WeGBt3/
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
System Binary Proxy Execution: InstallUtil
Abuse InstallUtil to proxy execution of malicious code.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-