General
-
Target
RFQ REF40044644EAUSD.cab
-
Size
224KB
-
Sample
230329-h3jcnafb94
-
MD5
e3cbb26086d565f812291efc8f2489e9
-
SHA1
88ae66f949e2ee06890f4ded031cb5bb1db36c10
-
SHA256
14d8849a2723509620ba26498bef7e700c734b08d0fc5b58bb69f52eb38aee28
-
SHA512
e5b4878d296abc0703b2518401b0d73cc2d12bf8791503551ac21aa8471de5b01aa76951e36d7a3e24f9dd38b1e586ca527ee729981ade227044615b4ab8185b
-
SSDEEP
6144:NjfykpHPVNPRUgxIAye8El/o26PowgyoOS/1gjm4wxKtUP4o:1yMVPx5yeVlw2l3OUei4yKy
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vulcano-group.com - Port:
587 - Username:
[email protected] - Password:
LY{oo-z$*b_# - Email To:
[email protected]
Targets
-
-
Target
RFQ REF40044644EAUSD.exe
-
Size
583KB
-
MD5
d3fc50d9c133892635d377a4fbe49d7f
-
SHA1
4742f12ee2d24ce653d0c5fdfb3a6836a389e32c
-
SHA256
c9844f8271aa5f5e3284a24d0962f864cfd4fbbe8b65247a017b9eab0a397e82
-
SHA512
66ecf6e7726ba3c3c23866b6f04ff7802095773ba3ba3a39976971b7e7fe7f89a4f524f8b13559f0d7812ca4d2e377ce24b4c2c3994cf250d2b5896f64223fa7
-
SSDEEP
12288:6scaqpK1WW+t44B6AgcbLsPiKqwLADveSO8n4:/cppAPio8vHO8n4
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-