General
-
Target
76a44f18a5404bc4b1c61fd1d9b7fad5.bin
-
Size
795KB
-
Sample
230328-b6579sgd22
-
MD5
7e7add1b0a4de314e81dd25a3952a3ac
-
SHA1
6512bd9acc575497093d7ea0e8562fb10ccaae52
-
SHA256
d7d99cf024ba20be93148d992f5b91ae233df649ca9e35c0be8f2e717d339e07
-
SHA512
48125d4dc6ef6a19e35ba573286726380673ff29ff01823f51ef109afb257cd4ec245e538ac565ab249917051758338a5e6bcf51da474720580b087d1e712423
-
SSDEEP
12288:zEdDDsAdsg4YIP4lVhFui+VQ9/EcljqHQivqFCHjQ6fU/nsQC9LQYhtMwX5vDNhJ:YfsL5i+VQ97lqHdvjjpfxLdtMoRhpb
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
cva19491@valvulasthermovalve.cl - Password:
LILKOOLL14!!
Targets
-
-
Target
a03d6f7c3db409c3a07cedb14f9fa7e96b4368a39ee4c291c5eee6912e26b9e4.exe
-
Size
972KB
-
MD5
76a44f18a5404bc4b1c61fd1d9b7fad5
-
SHA1
61b9d4b92c91512e51fcb737fd450d0083e04de5
-
SHA256
a03d6f7c3db409c3a07cedb14f9fa7e96b4368a39ee4c291c5eee6912e26b9e4
-
SHA512
5f1643c2c6758241dfca665db36adf78a786705e50dde7c74b6e93c2a41f5d7cefcccf19a98d07ee059a8154db27542e329aafc9f64986040ab421588286832b
-
SSDEEP
24576:VGR4ypyeFonQUi2tCVSWDtHq3Bhy+ryz2IZWh:VG68Ow0uHyBc+uaIZ6
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-