General
-
Target
INVOICE_VM220200200305.IMG
-
Size
1.2MB
-
Sample
221220-lgq26ahb55
-
MD5
9e5896712e5bd0d6172aa4e099849618
-
SHA1
1a2d26505bb945985794ec0cb565fb3583464af2
-
SHA256
d9faf13341cb342979c4eded9bd8f64ed7e369834c24d6d2e2c9c05934b21474
-
SHA512
00eb8493b1d811a2c22907a1aca2b2fbe7c5f31e3693d496124f2cab57a829c582adae543ff3a48ca284ba200ffaf7eefe2bbe01d68cf826e44e4e017cc6acfb
-
SSDEEP
24576:Ki1kwKzPiDkqhvGkzEiTznmbNg3R3XR8:bePiQIVzEiTz8
Malware Config
Extracted
Protocol: smtp- Host:
mail.mbarieservicesltd.com - Port:
587 - Username:
[email protected] - Password:
U)3*{*3X(9vr
Extracted
agenttesla
Protocol: smtp- Host:
mail.mbarieservicesltd.com - Port:
587 - Username:
[email protected] - Password:
U)3*{*3X(9vr - Email To:
[email protected]
Targets
-
-
Target
INVOICE_.EXE
-
Size
727KB
-
MD5
c411f469e39180f39dc9d6fc2eac4b40
-
SHA1
5d6c8ace0e02ed2327a8dbf6da34cad2e347ec55
-
SHA256
1a3bcbdc109cd0f18dc113db9b322efe1ddf97edcf799c4cf77e24235e87c437
-
SHA512
22e7994aaf5ffcb8eed42b4544dd8c3ec9f3736409fe1162d70e998dbbe3367d4bd740c8eaadef2f52814c17a67ac4c22e39d988971b2dae855b1ab532dde99c
-
SSDEEP
12288:wiAmEula+LPPyzPiDVV27Hqzd9Ba7kzRO1oTznmbhM6g3g43XR8:wi1kwKzPiDkqhvGkzEiTznmbNg3R3XR8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-