General
-
Target
85d29bf17d2b11754deb221731a9ea4c.exe
-
Size
791KB
-
Sample
230328-hzc2gabc8s
-
MD5
85d29bf17d2b11754deb221731a9ea4c
-
SHA1
eb91d80b64db46e71784db25ff2380003d3a1b9c
-
SHA256
770a7455fc0ac683cf1ea5f64c528ea717871300c1ff20e29cf34276acd0528d
-
SHA512
4d4a53e359289b097e8aa7debd3dee172b6244690641571a6ea53ddf72b316ad0cd224c7946d952c95b63932b2b535a00bce7c4b2448c188fbe4da0cfd422a5f
-
SSDEEP
12288:ZAwKdJVZz5ddOa01PTqcy3jP3fBfzUnFBDxqF7ETu6jQRwcndJoTgfz8uf:OTVZ93O1qcyNAVK7ytby+gl
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
cva19491@valvulasthermovalve.cl - Password:
LILKOOLL14!!
Targets
-
-
Target
85d29bf17d2b11754deb221731a9ea4c.exe
-
Size
791KB
-
MD5
85d29bf17d2b11754deb221731a9ea4c
-
SHA1
eb91d80b64db46e71784db25ff2380003d3a1b9c
-
SHA256
770a7455fc0ac683cf1ea5f64c528ea717871300c1ff20e29cf34276acd0528d
-
SHA512
4d4a53e359289b097e8aa7debd3dee172b6244690641571a6ea53ddf72b316ad0cd224c7946d952c95b63932b2b535a00bce7c4b2448c188fbe4da0cfd422a5f
-
SSDEEP
12288:ZAwKdJVZz5ddOa01PTqcy3jP3fBfzUnFBDxqF7ETu6jQRwcndJoTgfz8uf:OTVZ93O1qcyNAVK7ytby+gl
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-