{ "type": "MD5", "indicator": "ae6a8a43561ba85215f8b9986001a520", "general": { "sections": [ "general", "analysis" ], "type": "md5", "type_title": "FileHash-MD5", "indicator": "ae6a8a43561ba85215f8b9986001a520", "validation": [], "base_indicator": { "id": 4011276526, "indicator": "ae6a8a43561ba85215f8b9986001a520", "type": "FileHash-MD5", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "68978e78bcdadb6cd6d85194", "name": "AmsiDisable", "description": "", "modified": "2025-08-09T18:07:52.856000", "created": "2025-08-09T18:07:52.856000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 200, "FileHash-SHA1": 200, "FileHash-SHA256": 676 }, "indicator_count": 1076, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "294 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "67588168e91d30296a853db7", "name": "ACTIVIDAD MALICIOSA | Relacionada con AgentTesla 10-12-2024", "description": "Agent Tesla es una herramienta de acceso remoto disponible para compra en un sitio web oficial, supuestamente promocionada como un programa leg\u00edtimo; sin embargo, en realidad, se utiliza con fines maliciosos por ciberdelincuentes para robar datos personales. Los desarrolladores intentan dar una impresi\u00f3n de legitimidad, pero en realidad, fomentan su uso para el control y la monitorizaci\u00f3n de equipos ajenos, obteniendo beneficios de diversas maneras, como el registro de pulsaciones de teclas para obtener acceso a cuentas de v\u00edctimas.", "modified": "2024-12-10T17:59:04.832000", "created": "2024-12-10T17:59:04.832000", "tags": [ "krqjcqmimp1ff", "ta0040", "ta0005", "ta0006", "ta0007", "ta0004", "ta0008", "ta0002", "t1027", "files", "execution" ], "references": [ "https://www.virustotal.com/graph/embed/gc64f51d7b6e84204af64f2ecbaf4186f6819f89975a9450fb6d136c7fa86c7b4?theme=dark", "https://www.virustotal.com/gui/collection/d00eca546cd026fc1b64de314ae179b9c2f72544d3a1b51cb7f072a74c2ef33e/iocs", "https://darfe.es/ciberwiki/index.php?title=Agent_Tesla" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AgentTesla", "display_name": "AgentTesla", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 257, "FileHash-SHA1": 257, "FileHash-SHA256": 257 }, "indicator_count": 771, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "536 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "https://darfe.es/ciberwiki/index.php?title=Agent_Tesla", "https://www.virustotal.com/gui/collection/d00eca546cd026fc1b64de314ae179b9c2f72544d3a1b51cb7f072a74c2ef33e/iocs", "https://www.virustotal.com/graph/embed/gc64f51d7b6e84204af64f2ecbaf4186f6819f89975a9450fb6d136c7fa86c7b4?theme=dark" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Agenttesla" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "68978e78bcdadb6cd6d85194", "name": "AmsiDisable", "description": "", "modified": "2025-08-09T18:07:52.856000", "created": "2025-08-09T18:07:52.856000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 200, "FileHash-SHA1": 200, "FileHash-SHA256": 676 }, "indicator_count": 1076, "is_author": false, "is_subscribing": null, "subscriber_count": 182, "modified_text": "294 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "67588168e91d30296a853db7", "name": "ACTIVIDAD MALICIOSA | Relacionada con AgentTesla 10-12-2024", "description": "Agent Tesla es una herramienta de acceso remoto disponible para compra en un sitio web oficial, supuestamente promocionada como un programa leg\u00edtimo; sin embargo, en realidad, se utiliza con fines maliciosos por ciberdelincuentes para robar datos personales. Los desarrolladores intentan dar una impresi\u00f3n de legitimidad, pero en realidad, fomentan su uso para el control y la monitorizaci\u00f3n de equipos ajenos, obteniendo beneficios de diversas maneras, como el registro de pulsaciones de teclas para obtener acceso a cuentas de v\u00edctimas.", "modified": "2024-12-10T17:59:04.832000", "created": "2024-12-10T17:59:04.832000", "tags": [ "krqjcqmimp1ff", "ta0040", "ta0005", "ta0006", "ta0007", "ta0004", "ta0008", "ta0002", "t1027", "files", "execution" ], "references": [ "https://www.virustotal.com/graph/embed/gc64f51d7b6e84204af64f2ecbaf4186f6819f89975a9450fb6d136c7fa86c7b4?theme=dark", "https://www.virustotal.com/gui/collection/d00eca546cd026fc1b64de314ae179b9c2f72544d3a1b51cb7f072a74c2ef33e/iocs", "https://darfe.es/ciberwiki/index.php?title=Agent_Tesla" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "AgentTesla", "display_name": "AgentTesla", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1048", "name": "Exfiltration Over Alternative Protocol", "display_name": "T1048 - Exfiltration Over Alternative Protocol" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1124", "name": "System Time Discovery", "display_name": "T1124 - System Time Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 257, "FileHash-SHA1": 257, "FileHash-SHA256": 257 }, "indicator_count": 771, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "536 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "ae6a8a43561ba85215f8b9986001a520", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "ae6a8a43561ba85215f8b9986001a520", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780216901.3125234 }