General
-
Target
2A013945C03285FA0AA02F04A9E7557DF761A75BDD39B22CBF682721192D8BCC
-
Size
525KB
-
Sample
221123-r2gl4sda91
-
MD5
89658ee8fbac7a084a59bf030e0098bd
-
SHA1
effee1f0cf2344cac89f67b6f59b4147d342cf42
-
SHA256
2a013945c03285fa0aa02f04a9e7557df761a75bdd39b22cbf682721192d8bcc
-
SHA512
179f28c29ad95ec62cd8d3384541843586189c97b67fdcab445ba95f9671b7a90326a63fa07f37246f43afac19dd4d429a2d03c351ac6098bfa28fd882520d17
-
SSDEEP
12288:Wx8F5sEtZRgwhUIJQbikNeJU5GBUX+X7DIryrFUA:WxMzZRg1bLeJafuXNrFX
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://192.3.223.202 - Port:
21 - Username:
ftplogs - Password:
sPkZ7jK7P6aA
Targets
-
-
Target
FA369852.exe
-
Size
753KB
-
MD5
fe95779f01c2cf063ca96f9227c079c7
-
SHA1
3ed0e9d3472f191d2aace68d6c0f75149228ff3b
-
SHA256
6497c358f05eae2afbb8535f92a187cb27293fb583017c19bd495f838d7b2d26
-
SHA512
dff6c1baf63d3a180d60c0dfc22619b31dc884f4a9a88d501041d92f6b65794f478fb432452f8064264f9a8f73cbebe257c9d65c3e08f62c3b9d3b734f7e6479
-
SSDEEP
12288:gigDGkBZwgwhUpJQN1kw9zb5GB4XXo713JEI5M/:I3BZwg0Nx9z1LHo8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-