General
-
Target
Request for Commercial offer - NGL 700800 Compressor Station Expansion.exe
-
Size
1.1MB
-
Sample
221205-rwv8bahd69
-
MD5
47b60cbad0166a779665d56fe5c03596
-
SHA1
28c9d7176ead66aa9aa4e9889d49e4576405bebf
-
SHA256
4658e3fbdce008655176741c9d433fd3f42e79990c72fab345fbf5777b1cc291
-
SHA512
03dbfda0a1f34ea8c8b59573723ebc9bebf2fa5c2aad6fd770a1c11537199fee25534865a23911b4279ea73537ded0f42f6faf270365ac4915fa9f882fa87328
-
SSDEEP
24576:Oc7wqlKtw+m21of1PW5ewsF9r3g62h/jOQlg5A7:l7wKJQoxwgbYJqQui
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
host39.registrar-servers.com - Port:
587 - Username:
[email protected] - Password:
payment 12345
Targets
-
-
Target
Request for Commercial offer - NGL 700800 Compressor Station Expansion.exe
-
Size
1.1MB
-
MD5
47b60cbad0166a779665d56fe5c03596
-
SHA1
28c9d7176ead66aa9aa4e9889d49e4576405bebf
-
SHA256
4658e3fbdce008655176741c9d433fd3f42e79990c72fab345fbf5777b1cc291
-
SHA512
03dbfda0a1f34ea8c8b59573723ebc9bebf2fa5c2aad6fd770a1c11537199fee25534865a23911b4279ea73537ded0f42f6faf270365ac4915fa9f882fa87328
-
SSDEEP
24576:Oc7wqlKtw+m21of1PW5ewsF9r3g62h/jOQlg5A7:l7wKJQoxwgbYJqQui
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-