Derin Statik Analiz — AgentTesla | Tehdit: high
Dosya Kimliği
| SHA256 | 5a505f489d40c545ddacf31c16898cc85d6cf4bb308ff8448e24bcc744932042 |
|---|---|
| MD5 | 6b3e4790971c4541f567eb04d06152fb |
| SHA1 | 4bc8d8699e928d8f1c72607d6b85bd585f0beda7 |
| Dosya Adı | Purchase order.exe |
| Boyut | 1586817 byte |
| Tür | /opt/ksentinel/samples/5a505f489d40c545_Purchaseorder.exe: PE32+ executable (GUI) x86-64 Mono/.Net a |
| Derleme Tarihi | Bilinmiyor |
| Packer | UPX |
C2 Sunucuları / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
System.IO | Domain | active |
Tespit Edilen IOC'lar
| Değer | Tip |
|---|---|
System.IO | Domain |
Yetenekler
- —
Şifreleme: RijndaelManaged
Base64 Decode:
B64:FixedSizeUnsafeQueueNativeOverlapped => ,^u( B64:getIsUnicodeClassFileStreamInformation => y+ky B64:getLastWriteTimeUtcThreadStartException => +^N) B64:getPositiveInfinitySymbolGetStartComSlot =>
Geliştirici İpuçları
Telegram: @0nQzB @ceaAW @eSdl @GOL25 @KMlxE
PE Analizi
PE Güvenlik Taraması
file entropy: 6.098944 (normal) fpu anti-disassembly: no imagebase: normal entrypoint: null DOS stub: normal TLS directory: not found timestamp: future time section
Import Tablosu (özet)
Imported functions
Aile Tespiti — String Kanıtı
String kanıtı bulunamadı (obfuscated).
AgentTesla — Malware Profile
AgentTesla .NET credential stealer. JS dropper @version 8.16.22. Sayısal obfuscation v6034. SMTP FTP HTTP C2.
Malware Type
Infostealer
Programming Language
.NET
C2 Protocol
SMTP/FTP
Target Systems
Windows
Also Known As (AKA)
Agent Tesla
Technical Details
C#/.NET, SMTP/FTP/HTTP C2, GetAsyncKeyState keylogger, browser stealer (Chrome/Firefox/Edge), email client stealer, FTP stealer, VPN stealer, clipboard monitor, screenshot
Attribution / Threat Actor
Turkce konusulan gelistirici 'Turk Hack Team' ile iliskilendirilen ve Turkiye'den yonetildigi dusunulen platform. Pek cok farkli siber suc grubu musterisi bulunmaktadir.
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC List (4 indicators)
IOC — AgentTesla
#
4bc8d8699e928d8f1c72607d6b85bd585f0beda7
# SHA256
5a505f489d40c545ddacf31c16898cc85d6cf4bb308ff8448e24bcc744932042
# MD5
6b3e4790971c4541f567eb04d06152fb
# DOMAIN
System.IO
| Type | Value | Note |
|---|---|---|
| 4bc8d8699e928d8f1c72607d6b85bd585f0beda7 | ||
| sha256 | 5a505f489d40c545ddacf31c16898cc85d6cf4bb308ff8448e24bcc744932042 | |
| md5 | 6b3e4790971c4541f567eb04d06152fb | |
| domain | System.IO |
C2 Servers (8 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| digicert.com | domain | — | TCP | active | — |
| stem.ru | domain | — | TCP | active | — |
| digicert.com | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| dublincore.org | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| system.io | domain | — | TCP | active | — |
| googleapis.com | domain | — | TCP | active | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.