General
-
Target
a0b715dbe6410280098b511f7cf95b466c14f15de32ed2cd79744d2ebd7ad8ff
-
Size
1.3MB
-
Sample
221122-jdm5zshe3t
-
MD5
68bb64fcad70e87be967c773c0370aaa
-
SHA1
d22749990071abe48d0911e8755908dfecf13473
-
SHA256
a0b715dbe6410280098b511f7cf95b466c14f15de32ed2cd79744d2ebd7ad8ff
-
SHA512
781cbe0a94afcdf9efeb387701b374dc2c47e8f3e6e4704da34c270051fc43f30a93e02c8b9a79f7a26292a7b832e20eca088de06a3fd2ea49e36b342d428c76
-
SSDEEP
12288:M94sy3SA7GzCQo4LM2Wx+758A9r9JkwNMhIPipNaVCn6ZVqmviDEexvoxrZrYWr4:M9SQeq9867kLhIKk7qmwEXrniUu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.godstar.com.br - Port:
587 - Username:
[email protected] - Password:
KINGqqqqqq@12
Targets
-
-
Target
a0b715dbe6410280098b511f7cf95b466c14f15de32ed2cd79744d2ebd7ad8ff
-
Size
1.3MB
-
MD5
68bb64fcad70e87be967c773c0370aaa
-
SHA1
d22749990071abe48d0911e8755908dfecf13473
-
SHA256
a0b715dbe6410280098b511f7cf95b466c14f15de32ed2cd79744d2ebd7ad8ff
-
SHA512
781cbe0a94afcdf9efeb387701b374dc2c47e8f3e6e4704da34c270051fc43f30a93e02c8b9a79f7a26292a7b832e20eca088de06a3fd2ea49e36b342d428c76
-
SSDEEP
12288:M94sy3SA7GzCQo4LM2Wx+758A9r9JkwNMhIPipNaVCn6ZVqmviDEexvoxrZrYWr4:M9SQeq9867kLhIKk7qmwEXrniUu
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-