General
-
Target
NEW VENDOR FOR CTM 21.0.cab
-
Size
354KB
-
Sample
210421-ztyc3afwte
-
MD5
a8837667885238c85de88b25aea7e2d5
-
SHA1
0b29625fdc9d2097b3f0091ef1dc6069786edb27
-
SHA256
4af8a39b1a560855f12284bd90fde9d57f2d45dbeb4fd5d50f8d532a993289ae
-
SHA512
2c26feb33f9efc5a071fefc38c335c1c726e74d415991617ccfdbd9e04bd8eb2d52c634ac9ccc604aa32b0f3c7d37670110db7b35af7eabfc0299f763f539935
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.hyshippingcn.com - Port:
587 - Username:
plogs112@hyshippingcn.com - Password:
e*u@qkS4
Targets
-
-
Target
NEW VENDOR FOR CTM 21.0.exe
-
Size
463KB
-
MD5
4b721a8d71de67710d0391f8eda57d8d
-
SHA1
614b2f6aafb93d760482128c221b052647b4ba3e
-
SHA256
113289fcf78c75d3f42a504464ce183ad572ef78f62bc26192e2c0f5ed88bc58
-
SHA512
57c3dd94b3d225a8fffed003ee5f0733f09178e62bc0f06e7e32150739ff1248dae439c3303f6511bc4d192d94a1688ca890b807295babbbc6e5718230d7261e
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-