General
-
Target
9da3f3e0eb77d090aae39e7df9c2e5a0243d0f4cd26c7a7ed0831bafde6e9fe6.tar
-
Size
615KB
-
Sample
240629-b2tcxa1dkq
-
MD5
573b8c0a2ca6ca5946a228ec4fdb0c81
-
SHA1
787b5f4a56ab950d0d53341733a59f3438844246
-
SHA256
9da3f3e0eb77d090aae39e7df9c2e5a0243d0f4cd26c7a7ed0831bafde6e9fe6
-
SHA512
447255110783194e3142ec10388d2b05376e4be7d06a30338a354bc8551c2e3c7cc52df6a5cd9401d7d41df9864d37071a9ed5bcc8179168f172a9f271f7913f
-
SSDEEP
12288:qb3RdVPvbTp3yondB5J6mG3fW+WcfQuktNa6Pnu5DgPQIWv4CJ+e:OjMondLJ6m2WcQuSs6PnHYIY4i
Static task
static1
Behavioral task
behavioral1
Sample
PO 5002407962.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PO 5002407962.exe
Resource
win10v2004-20240508-en
Malware Config
Extracted
Protocol: ftp- Host:
ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
,%EVY$JU0=lu
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
,%EVY$JU0=lu
Targets
-
-
Target
PO 5002407962.exe
-
Size
1.2MB
-
MD5
aec18c694fce000f07ae7dc56653bff0
-
SHA1
840635306bec9a2ec62d9c12fd19eece134878cf
-
SHA256
82e145d3a3699341fd1baab548a2327fa87e642e7734b8b12121f24e072ec9d9
-
SHA512
cbb1849e23bb055ef059ad1b5c32823edc2fc52151a9d55a0c1f84a381687b8717175f00e39fbbdbf3b1fc4cd8341b56f492fc218202f8e9e9a7f4211d014ef7
-
SSDEEP
12288:eARmQ3lR3IYGg0RAbueIKU41eksRz+goaoxmQa3/tYCSbD/PxN:3Z5GTRAqVUeksRzjojG3SCUD/
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion
-
Detects executables packed with or use KoiVM
-
Detects executables referencing Windows vault credential objects. Observed in infostealers
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
-
Detects executables referencing many email and collaboration clients. Observed in information stealers
-
Detects executables referencing many file transfer clients. Observed in information stealers
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-