General
-
Target
248ab46e6afe49c7ee7e2393500a10bb
-
Size
251KB
-
Sample
220621-r9e39aggf9
-
MD5
248ab46e6afe49c7ee7e2393500a10bb
-
SHA1
7044242c3d5aebb44deb2d527e660d8f79aeb7b7
-
SHA256
186f5806f8653396518a7c36dbe610b5dc0733b15b86543f81c7380698d39428
-
SHA512
f10d5510b49a8cc377d6392cbbf3a910c5e21082d405c5f09e32d5f6eec27c5489e3f0ffca50b8fa3609bba44b1fb5bce232fea9dc0ea7f5bba789b0c475aad5
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
zincox - Password:
computer@1010
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com/ - Port:
21 - Username:
zincox - Password:
computer@1010
Targets
-
-
Target
Documents for your perusal.js
-
Size
450KB
-
MD5
8d006d2e9172f2ba4c156eb100bd31c9
-
SHA1
39f1c16f43c879986747bcdc49a7a75c7a03f0df
-
SHA256
1f0f209552a8710e45b93d500959e04bb4e0cef99e268e1b77419fb50c62cfbd
-
SHA512
b1929743781911ee7b6ed928c4dcef8fe199fe2f6850d5a22eba49fb53efad1684a601fef8f1619f9bece4a3f75703fb0e59d985e98053f485b3a2911472e44b
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
suricata: ET MALWARE AgentTesla Exfil via FTP
suricata: ET MALWARE AgentTesla Exfil via FTP
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-