General
-
Target
1992-72-0x0000000000400000-0x000000000043D000-memory.dmp
-
Size
244KB
-
Sample
221125-svq3msgc34
-
MD5
eafd1bff062f8edb0ed644c3a6bd5d65
-
SHA1
cdc15a5eedf87e2c6ec547f24e833b8ccf1b0cc1
-
SHA256
8e286696a68fbea67a45b8b49daf8d6b486340d6515a19255f57b42b9a3c053d
-
SHA512
552f7ac2d6c8c037fcbc81d968e6e41517eb95e0bdc35d7b4c2525279e17d31cd62d02e675d1406b345b90809d9837a68de05103ace766d266c52cb9e3fc4ed5
-
SSDEEP
3072:AHWG7oJ4jT1Yto2mAFPlfT0bxzbUKOfeNUY2jzkRhXJwXJ0yeGrptQY3FXJzNvG5:A2GPTC59E1Uffe+Y2chX2XciJVXFNvI
Malware Config
Extracted
agenttesla
http://107.189.4.253/zipone/inc/10c5bcaaef047d.php
Targets
-
-
Target
1992-72-0x0000000000400000-0x000000000043D000-memory.dmp
-
Size
244KB
-
MD5
eafd1bff062f8edb0ed644c3a6bd5d65
-
SHA1
cdc15a5eedf87e2c6ec547f24e833b8ccf1b0cc1
-
SHA256
8e286696a68fbea67a45b8b49daf8d6b486340d6515a19255f57b42b9a3c053d
-
SHA512
552f7ac2d6c8c037fcbc81d968e6e41517eb95e0bdc35d7b4c2525279e17d31cd62d02e675d1406b345b90809d9837a68de05103ace766d266c52cb9e3fc4ed5
-
SSDEEP
3072:AHWG7oJ4jT1Yto2mAFPlfT0bxzbUKOfeNUY2jzkRhXJwXJ0yeGrptQY3FXJzNvG5:A2GPTC59E1Uffe+Y2chX2XciJVXFNvI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-