General
-
Target
Pre-alert M160-45027883.exe
-
Size
287KB
-
Sample
221102-q1va5shbh6
-
MD5
d79fcbfe4353a2ddab4fc5e9be509986
-
SHA1
bd7c7d4ed91d3388af41f867f742d0901ef7a648
-
SHA256
40a14914d81b9ed410d59ff28faa9dd835eef9d36b6897f70700e5899df0ba70
-
SHA512
1adee5be9125f1f2b653632b491e2e61a0b172a72d7fe07d935a03a86c26a933dee28819b7f3975ad7e349b4f10354ae08b7df227863b4e4a14cea67b7430182
-
SSDEEP
6144:hweEt3s4oHtkJld6LIraDRS+drG3iHOqwQuE5X7vd9:owkMtsxQuE5Lv7
Malware Config
Targets
-
-
Target
Pre-alert M160-45027883.exe
-
Size
287KB
-
MD5
d79fcbfe4353a2ddab4fc5e9be509986
-
SHA1
bd7c7d4ed91d3388af41f867f742d0901ef7a648
-
SHA256
40a14914d81b9ed410d59ff28faa9dd835eef9d36b6897f70700e5899df0ba70
-
SHA512
1adee5be9125f1f2b653632b491e2e61a0b172a72d7fe07d935a03a86c26a933dee28819b7f3975ad7e349b4f10354ae08b7df227863b4e4a14cea67b7430182
-
SSDEEP
6144:hweEt3s4oHtkJld6LIraDRS+drG3iHOqwQuE5X7vd9:owkMtsxQuE5Lv7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-