General
-
Target
4156d141ecd566aebb51846c4a8124c4f5923970d48cdfb53f6e3e37ca774268
-
Size
1.2MB
-
Sample
220521-aygz2aeabk
-
MD5
0f8ca9dea6c979c62c060936a0bb8581
-
SHA1
eb554783d1016c4d6f977dc4956d42b1465a06e2
-
SHA256
4156d141ecd566aebb51846c4a8124c4f5923970d48cdfb53f6e3e37ca774268
-
SHA512
3b228abf319e8957e3b61aedffc6d82e079e9028c2783b1c3dbba440071ea1d994e5e61b3b29a4330c88f32ae0aab7478852e8e3e1b7072168dcac40ec79792e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.northwestpowdercoating.co.uk - Port:
587 - Username:
[email protected] - Password:
C^0z.^LxykTW
Targets
-
-
Target
TRANSFER.SCR
-
Size
571KB
-
MD5
b21c5e9a0e9846d44a674f7822c0a1f2
-
SHA1
de3807ac88680dcc6146c76db7a174e4411ab078
-
SHA256
f8489030f3c79639a56320cdd06179b2f3cf280824cd80d8b3c333c8aabd3d9f
-
SHA512
c5a18cf1dd2d3441f08445f585eddf63ebb179edcfd4470c147d16c6fe58ccf55bcf88d32884ca7a49e88354edd20c5193835e323e87edaed212b3232a20cfa8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-