General
-
Target
Mai.Chang-Green_TT_USD30100_INV00478764PDF.gz
-
Size
184KB
-
Sample
230328-qt5hjabc72
-
MD5
574a854bcc066d7330274e6adddd7793
-
SHA1
f52e22ace2573ec3843060946aaa1a2b31a69b3f
-
SHA256
3bf57e9078e47ff807947a4f1788cb9e609911294e11f916f92e25c9fa977a30
-
SHA512
87140deb2b52832e762f5851c1701e1ca2deb210021bbb634353873eb7e80508a5df316e8c9921f933e1c067f8b815fd4a646b44e1e2ea74714f93386f2ed683
-
SSDEEP
3072:IdawbaSBcOimYv8dsvmtadywtgc1HXWDWwMX1xbraZmTZhLwzf0jkN0/xCE6K:Id3Pc7rfvmtaTuc8ywMzasnmf0jQEF
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vulcano-group.com - Port:
587 - Username:
webmaster@vulcano-group.com - Password:
LY{oo-z$*b_# - Email To:
china@chinatoolzlogs.com
Targets
-
-
Target
Mai.Chang-Green_TT_USD30100_INV00478764PDF.exe
-
Size
528KB
-
MD5
63efa34320ba0f7e98104f825a565acc
-
SHA1
93c4cab360f609e22839fd0e8ffca5e46e927c8b
-
SHA256
dd277dde3049bb20e367796ae4cf93dd4e3e119104e72318ffc84f148f7e7a30
-
SHA512
497d649b634efc6e14d74962b120d5f38cbb196e1516a90cb7bf6649e29087026b9eb764f3407373ff4c33b8927dc78a3bf8078318c02c98031669b9a1c62144
-
SSDEEP
12288:EDFZYmE70Y2cq+Dfhh5/8IU0alaLg3aJnz/1WmR:EQjF2cqWfEIBqgJnz/1WmR
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-