General
-
Target
HCM - JACKSONVILLE, FL.zip
-
Size
768KB
-
Sample
210420-6glb7g39c2
-
MD5
2b0d60816fdd08f8f82852e11086b633
-
SHA1
702c554daee025edf44a970b0c3bc23c49a1f0df
-
SHA256
39ad4248a5f721de8e635ddaab76190a0bb6bcc48acaf31396c5489ea1aabd9a
-
SHA512
6de9e85c90f786ecc12804545227b9554dafea36a8c8ba9c905552332b38aba4cbd9c6be5597c684bc3c18e20272d156541b3660de3b8edc726755b205535e1e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.framafilms.com - Port:
587 - Username:
[email protected] - Password:
lister11
Targets
-
-
Target
HCM - JACKSONVILLE, FL.exe
-
Size
1.1MB
-
MD5
74bd64c0ec695f0f8177b08bd961c2db
-
SHA1
a0df1a7e20933db43bdd8b44ffcfe466fbebdec0
-
SHA256
cd04b35e2ed6848898fb8a61a027f9546ac28413012a48c428ce76d36312de43
-
SHA512
1f659e11081ae83c252e5dd4cf761bb4e76a8ce2ad650982ed650dc6fc9227c6c798c74e2c0c91edd05a037f1ba8c1016148cc43b770005d76895b02f8b3b27a
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-