General
-
Target
z1RES_AGB_eroFame_EN_2023.exe
-
Size
791KB
-
Sample
230327-pwrh1sfe4x
-
MD5
bb692c2529d69ab4e893ca2e30b0d8eb
-
SHA1
134d722d3d2d64dceb2511ffd65fa65836b7774d
-
SHA256
d9291d64e26f7adb615e269cac4577c1fdd30c2f4f82868d97ff9d1bca4cdb73
-
SHA512
0ad2bd8878fabb5f6e30b3500ea0923aeeba472b968a546e8ac5bbe704db4584cc74d0fbde7a1223aa5e22e226d0d8a7603356960018118e3581c6bf6db99554
-
SSDEEP
12288:vA5xB0OH2J3RcMrPj8gPGr0MdUH38NbC/UkMxFEXkNidD3LLigLJwsuHJhZ:vA5rcFRcMv8mIr6Yp7DsriMysupD
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6126200999:AAGl6SGptu7yDfEtkr6O0gjkZAOexeUyH6E/
Targets
-
-
Target
z1RES_AGB_eroFame_EN_2023.exe
-
Size
791KB
-
MD5
bb692c2529d69ab4e893ca2e30b0d8eb
-
SHA1
134d722d3d2d64dceb2511ffd65fa65836b7774d
-
SHA256
d9291d64e26f7adb615e269cac4577c1fdd30c2f4f82868d97ff9d1bca4cdb73
-
SHA512
0ad2bd8878fabb5f6e30b3500ea0923aeeba472b968a546e8ac5bbe704db4584cc74d0fbde7a1223aa5e22e226d0d8a7603356960018118e3581c6bf6db99554
-
SSDEEP
12288:vA5xB0OH2J3RcMrPj8gPGr0MdUH38NbC/UkMxFEXkNidD3LLigLJwsuHJhZ:vA5rcFRcMv8mIr6Yp7DsriMysupD
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-