General
-
Target
9637811090.zip
-
Size
236KB
-
Sample
230322-jvk2yshe7s
-
MD5
6d20118da52d83b0db753e6a341db25f
-
SHA1
6f0f4c6bfcc3eefa0ca15fb76a31516b36d07f13
-
SHA256
48585a6d5eb1297a60066fe3617ba547265d43d9fd4b5a1e4c61801c0d39e690
-
SHA512
6bb6fccd01ea8f36e8dd33b601b93e464e43d168842276fdffeed1552f195267df420cc4f7c35f848f622a03eaff3dd738561a27d935cda00f3ee455cec00f25
-
SSDEEP
6144:J2iGAg8OEWvNrfz7fgpJaVnXUXBq39ILOGl1Xb:JpORL7fgpCXSq3eLOar
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.flood-protection.org - Port:
587 - Username:
somc@flood-protection.org - Password:
somc2424@
Targets
-
-
Target
DHL Consignment Details_pdf.exe
-
Size
605KB
-
MD5
e915458310797b8738f816e6231e139e
-
SHA1
5550e9bed859987c2a21fc2a3a20621805fc57bc
-
SHA256
29887ae5301d3c3ca584a036c36c509b52006464c7edd86e756518d36ce95a81
-
SHA512
09a8c30c5bc442873a7bf0428f8b074f01e6648273218bc6855d7a38f8485208edc8acb835647851237da4df0ffe2a0507e1a02191490b4cfe987bec5cff753b
-
SSDEEP
6144:gINjprJlckeFAypJXSu/2I9A80ab94dhx/8NJCibbb42et5k+nV/YLGmA:/rJllzkdSW0B8M2et5Hnd
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-