General
-
Target
SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
-
Size
827KB
-
Sample
221129-s9b72afg2s
-
MD5
fe1aa7fa995970ebb34465d5dc0d8ce1
-
SHA1
7505b261cc9df8c6ab8f10e035cf8d8319043cdb
-
SHA256
655b12a219d0f0e39a84fe44483e25411be852ce2bb0d451a1cb1a9a670f70b8
-
SHA512
245277e1f0f637bda7e2b5d1f76ae06656aeb0a7df47eb428edf8c6472f9af03580234b9cd4a95321a96e6511d9e75279c452c5b58ae182b060a6ca35949a77c
-
SSDEEP
12288:/mMlc1PL/pFr5cE8LHWU/SEdRMA/LyVu6gtXSRxS36qGn3eV6H5ADAUaoZqxIB/N:eqvLj9/L1tsAK/n3eVk55Ul4x+/yIn
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.strictfacilityservices.com - Port:
587 - Username:
accounts@strictfacilityservices.com - Password:
SFS!@#321 - Email To:
guc850155@gmail.com
Targets
-
-
Target
SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
-
Size
827KB
-
MD5
fe1aa7fa995970ebb34465d5dc0d8ce1
-
SHA1
7505b261cc9df8c6ab8f10e035cf8d8319043cdb
-
SHA256
655b12a219d0f0e39a84fe44483e25411be852ce2bb0d451a1cb1a9a670f70b8
-
SHA512
245277e1f0f637bda7e2b5d1f76ae06656aeb0a7df47eb428edf8c6472f9af03580234b9cd4a95321a96e6511d9e75279c452c5b58ae182b060a6ca35949a77c
-
SSDEEP
12288:/mMlc1PL/pFr5cE8LHWU/SEdRMA/LyVu6gtXSRxS36qGn3eV6H5ADAUaoZqxIB/N:eqvLj9/L1tsAK/n3eVk55Ul4x+/yIn
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-