General
-
Target
ad7a7cf0976ddc45d980eedb9adb2c550f3c6956ac7bc045de97424fec0456a3
-
Size
3.3MB
-
Sample
240427-b812bsgf34
-
MD5
fbe98ea777d83fcbdfd8f279d900f8fd
-
SHA1
47aa24342edd409b4cb1a4f3b708f363ce66871a
-
SHA256
ad7a7cf0976ddc45d980eedb9adb2c550f3c6956ac7bc045de97424fec0456a3
-
SHA512
b8089e21ecd97a90fdbbd1cc090c6ae9c3d3204862bd324480bc77a3fb204d50c2730824553680942973647ef945571b0bcddec3db8419ee341a2e4561dcbc61
-
SSDEEP
98304:TR/yT715TGTtRCdLorKYIthsKddy23M9J:F/KTGTtEh84zdDjMz
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.grandanatoliahotel.com - Port:
587 - Username:
admin@grandanatoliahotel.com - Password:
rruuggeedd12.Z - Email To:
exportmanager180@gmail.com
Targets
-
-
Target
ad7a7cf0976ddc45d980eedb9adb2c550f3c6956ac7bc045de97424fec0456a3
-
Size
3.3MB
-
MD5
fbe98ea777d83fcbdfd8f279d900f8fd
-
SHA1
47aa24342edd409b4cb1a4f3b708f363ce66871a
-
SHA256
ad7a7cf0976ddc45d980eedb9adb2c550f3c6956ac7bc045de97424fec0456a3
-
SHA512
b8089e21ecd97a90fdbbd1cc090c6ae9c3d3204862bd324480bc77a3fb204d50c2730824553680942973647ef945571b0bcddec3db8419ee341a2e4561dcbc61
-
SSDEEP
98304:TR/yT715TGTtRCdLorKYIthsKddy23M9J:F/KTGTtEh84zdDjMz
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-