General
-
Target
5190672.zip
-
Size
543KB
-
Sample
230330-ngpv7sdh4x
-
MD5
5b207618d49abfd8b2d432706f8ebc2c
-
SHA1
90f74fd3d21a9f09aeb3116dbfc97cd49264686d
-
SHA256
9711294918a8cc2e424c2bd81b3c81b8f8d939e1c761588399c9fcde7a2d0ec3
-
SHA512
4026bd0a86d3204ca68089d6901c20d30fd2a31277a7a0ef8ec9045f77ee85a3583b3f598d8a1d57ed1d948aa98633fc7b5c5d3d2a8a9ad527d242415c0acf40
-
SSDEEP
12288:9/qM4kM4bFhqvxlknCIdkSkpD6a5Csr9YwaM8UaHEKrgEuJsz1rwrMYdFgymR:5lM4bFcknCIdk35CcYwanvr+JrJdFgyi
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.asiaparadisehotel.com - Port:
587 - Username:
[email protected] - Password:
06bietthunhatrang - Email To:
[email protected]
Targets
-
-
Target
5190672.exe
-
Size
658KB
-
MD5
131fc2043b4c740cb1a3bd4a8398a780
-
SHA1
041be9bfdbed62d56906f5fe2ebdad0f1f7037d5
-
SHA256
191529d733524665838e0d27b44844ca0a3c914d8577d4f2d8c8b93ea4a7729a
-
SHA512
e2f5bd59a57b4a47756643e8395d9b8bdf2d1b02e3f4eb20409195027d7921e7614153b93efda90daa00e31cfd72f4f1e26774121d90b3995e681463c69af31c
-
SSDEEP
12288:74DM4ky4LFhqvVeACFUYvHoIlC/BEzOCHHwaMgUa3EKrgXcsznauIimOMt+k:7Zy4LFyefHNlw+zOCnwapHrcPnbIimX
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-