General
-
Target
738de6017ca3733fa2d8899a9c64d53a.bin
-
Size
778KB
-
Sample
230331-byz2aahe7x
-
MD5
950b416224e11589b78ce2d296deda31
-
SHA1
11cc5aa287a96ded14483fa8c5d2c5f1a0b2c289
-
SHA256
93fb1cad01f999076f0264e744c42b66d8502805b7a096867110463a92c148c0
-
SHA512
29b49433c7fc4b072b6233b8f4e31afd0c13043a812b9fcde9e63c3a6fa364e9b9b693c07ce488f1e83d806eb39140e756ced5056300b64baccdd576fb31b725
-
SSDEEP
12288:vfHg0NnX7J1BiTDFGeCLxJ+WBbXRh70GoOqt0gpCJe8gUyl5YgbdyqE0M06Toehl:vXX9He2iET7vbqt0sX/HbbM0YhtIDrA7
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
cva19491@valvulasthermovalve.cl - Password:
LILKOOLL14!!
Targets
-
-
Target
c33b7b4e1ca47c199ebc7f0027fe163489a0b5bd872206e853ab6779362ee747.exe
-
Size
1000KB
-
MD5
738de6017ca3733fa2d8899a9c64d53a
-
SHA1
13c0bae96872436a314b5bb11d9caa8a870bf9f4
-
SHA256
c33b7b4e1ca47c199ebc7f0027fe163489a0b5bd872206e853ab6779362ee747
-
SHA512
746ba252658115d37dd9701f5000ce3ac82f64c6d289fd509bc2b5fd9ba61c5d9b812cc38f0e60ff946bdfbb4babb131619777e46f79cb47aa2aec03bbf46dc3
-
SSDEEP
24576:/Q12zVZ97cXwdfR++/CMO2bcEBYBIBTKC/hEh:/QAR379dsMlO2bcEBYBO/h
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-