General
-
Target
50...............50..........doc
-
Size
24KB
-
Sample
230330-mty4zadg5x
-
MD5
5eb3eacfdfdb969d2bab0b64be2a5bf7
-
SHA1
dd56c02a8069a24d01ea3cba2dd6f3c3f53c6d51
-
SHA256
456900846bc7241e40616d9f1b075f0144b2f374eb5973efd74500d0dba1fb14
-
SHA512
31afa24c502e0a63a2d40cc02eed4a7a75fb67c66044a0726656bafb6c681c2e2c6ceffde7ee4ed8d84897145c28cf3132be6be0472cf9af42df18e875eaf352
-
SSDEEP
384:sUTsO06RX+ZjfPRKkmZQqgtX5MicRux6diEAXiRzcYh5q3P6It5j8j072Xau69:sqsO0xVf5KQX2iOEvJXSgYqiII072Xat
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
06bietthunhatrang - Email To:
[email protected]
Targets
-
-
Target
50...............50..........doc
-
Size
24KB
-
MD5
5eb3eacfdfdb969d2bab0b64be2a5bf7
-
SHA1
dd56c02a8069a24d01ea3cba2dd6f3c3f53c6d51
-
SHA256
456900846bc7241e40616d9f1b075f0144b2f374eb5973efd74500d0dba1fb14
-
SHA512
31afa24c502e0a63a2d40cc02eed4a7a75fb67c66044a0726656bafb6c681c2e2c6ceffde7ee4ed8d84897145c28cf3132be6be0472cf9af42df18e875eaf352
-
SSDEEP
384:sUTsO06RX+ZjfPRKkmZQqgtX5MicRux6diEAXiRzcYh5q3P6It5j8j072Xau69:sqsO0xVf5KQX2iOEvJXSgYqiII072Xat
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-