General
-
Target
c5f03dfe714e81188bc7c6a681b48147.bin
-
Size
17KB
-
Sample
230328-cvlj6age63
-
MD5
4e4a9643194a7c057653241d9d5d2ffe
-
SHA1
68c7538f251d2baf1259619da67d810bc83b5dd5
-
SHA256
90f27e90f713d19d2cdef8defe1cff2f88dfdbde1d27197cf7f64b5aadae5eee
-
SHA512
b1665fbcaad2952432c4c0d711b1c3ed46122a103ee8d80f756123f288a33854488a6ca0877c6808c607be033ebed76cee4b5d24f8096748b84b8a105deffbbc
-
SSDEEP
384:opTjBYOAGv4IhfHnuRO3jmpuePv2DCcGt0B2jSxs:oTYORvNhfHuROypszVS
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ungaplc.com - Port:
587 - Username:
info@ungaplc.com - Password:
Maco@2022@ - Email To:
afnrobertaol@gmail.com
Targets
-
-
Target
016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3.bin
-
Size
35KB
-
MD5
c5f03dfe714e81188bc7c6a681b48147
-
SHA1
3fa716a9f1781eb63de8987d0a176c840643c3f9
-
SHA256
016d1da2f0244ac3bbc392caace0d8ff5fd1870e6c627802d2e8b09c39e393a3
-
SHA512
781bdad3e8643ba187110b153cc8982c2809cb0ba0346a9c90a7121be5e583b719b22e5d404ee405812c0cce1355b2485a9b25b120c2ac0d025acd996e6838fa
-
SSDEEP
768:7Fx0XaIsnPRIa4fwJMJhpUMEuKNzE9apsX2RSbRqPqBhvb/d1:7f0Xvx3EM9zElNzDsNBtb/r
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-