General
-
Target
TNT Express_874993766478.exe
-
Size
825KB
-
Sample
230310-hpszyadg2z
-
MD5
6f6096ddb90451da303e21b20edec778
-
SHA1
acbee11825e72f1be2eda845d0282d3a6b315e3b
-
SHA256
9f5e89aa93961e166ea0aa24c0005541f58e1d352ae7c5781ce63f4369f62555
-
SHA512
f48103d284ae449e2e6fc37545b65d88cd073befc24e5f909d3658cb9cb8ff3e6ca7208d28d2cc980a8d94276b1516fc4c93fa20d468844fff2aee5479d7a26b
-
SSDEEP
12288:EFlLKHFjcsqUWOMnVEscQaZpWS5C68pTB9PUAEoynHBLHeSABu7POBdAAN+RW6DQ:yzQQaZpWApbFWgCd5+RWKkeXz5E86x
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1081892640439672912/zNpFACvFk673ln1OzpAudejgNiaSGji8VEgtzzJ8uIJkvmL83OW3yYYB672TTqrjt1-l
Targets
-
-
Target
TNT Express_874993766478.exe
-
Size
825KB
-
MD5
6f6096ddb90451da303e21b20edec778
-
SHA1
acbee11825e72f1be2eda845d0282d3a6b315e3b
-
SHA256
9f5e89aa93961e166ea0aa24c0005541f58e1d352ae7c5781ce63f4369f62555
-
SHA512
f48103d284ae449e2e6fc37545b65d88cd073befc24e5f909d3658cb9cb8ff3e6ca7208d28d2cc980a8d94276b1516fc4c93fa20d468844fff2aee5479d7a26b
-
SSDEEP
12288:EFlLKHFjcsqUWOMnVEscQaZpWS5C68pTB9PUAEoynHBLHeSABu7POBdAAN+RW6DQ:yzQQaZpWApbFWgCd5+RWKkeXz5E86x
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-