General
-
Target
8519570963.zip
-
Size
620KB
-
Sample
221205-zkfbqaef54
-
MD5
b10954d196b702ba05bf7601b9d72e7f
-
SHA1
cfe45efe8fdda20fb7c5f33af6c7888a1d19f3d7
-
SHA256
bb3fdd08cbbf3f8a1ac68b9968719290ba713a0cdea09f556a590c4d3819e9c0
-
SHA512
4d6b110c231d1914e585c5b95ddf02157fd7d5483ce40c122b6684162f1d3f9542aad584858e94f512c7215a3ab7b426033dfdac0df105fa045710506aab7bb8
-
SSDEEP
12288:uoIqMskV9CQdVYUx6V5G1Vh9kUtng/LSV3Sr2dQJ9o:0qMhV9CQsICGh9kUtn0GCr2deo
Malware Config
Extracted
Protocol: smtp- Host:
work-toolz.click - Port:
587 - Username:
[email protected] - Password:
3HLkst~=QzD3
Extracted
agenttesla
Protocol: smtp- Host:
work-toolz.click - Port:
587 - Username:
[email protected] - Password:
3HLkst~=QzD3
Targets
-
-
Target
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
-
Size
788KB
-
MD5
4252062a013af0c7953e4d14fe646e93
-
SHA1
ada3f9cf06008cba824e4bcda68f80da99d13893
-
SHA256
5f5f98c19f889e41a9a73b991ee4aedca90055f848a84b1441ae45be8d380f6d
-
SHA512
83c9d4e85a378e8d02393315c480dac1e6fab024bb95717e8ef4a9598782e784539374b127836695a6722662d1dc74a54ddc54d6bf02fc2e7c2dcd1a810f6f89
-
SSDEEP
24576:UraCDwovMPVLs5pcMrQJ63f81b34B5O8f:4aSJMPJGrQJ6vYr4jO8f
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-