General
-
Target
RFQ 071.23 020.23.Docx.xxe.rar
-
Size
701KB
-
Sample
230330-jrka9abf27
-
MD5
c88256fceef22c3ec52029e1b59d3f97
-
SHA1
00306bd4e7acd4d18900dd054708603051e05a2b
-
SHA256
9a555c3dede19ff1788835ed1df301f2b4454ca9c33785ec10830e16e2ddeaed
-
SHA512
cb237a8567380f661bb04231192ec978e838792e841b80fd0a479b115e3074be703dcdeecd557af2eaa31aaa8a6144585ac838e59574e14bed2d2952a0e1d738
-
SSDEEP
12288:SjVkvCZovIVZFyuSSmrVJsdMdybdDfw4RFbi5uevnmbxDABPqpzdmPdrMhv7Z63:Ks2ZIzZS7vukxiQEVcvl63
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
N!hfzy$8
Targets
-
-
Target
RFQ 071.23 020.23.exe
-
Size
779KB
-
MD5
bc1fac98c09af837959226f91f6d54c1
-
SHA1
5257b8498fb0df2e06259fa49a6b333f34603944
-
SHA256
1897da9314bfab3a6feaae55d4e82fa4f764c04593c9aedfc4fde0f7e7f7a2dd
-
SHA512
107d3f67e05e46f788c64bcaa3fa7b506a0b0ae4e1907116d0915fb9721fdae5b1bb48ca46a73b14b506909b3a6a06193578425043fb0f16591654b1dfbcb468
-
SSDEEP
24576:jCVZ9BW+n+6AbaGZwMhK5Uu399i/Ml7R5:G3EK+fbbZveUuNP7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-