General
-
Target
b6c9c4471cac3642ad6c1eed4ab5aa98.bin
-
Size
512KB
-
Sample
230423-ceh44aac44
-
MD5
82138f3176e31b278548524fa3dcd9c6
-
SHA1
76d2edfb388eef7c5bf3f9d04f7bff76e179a919
-
SHA256
f6bb4c84d3a0d8a33752ba902235c34892dcea9db39c94d5f718dc9bf5b09452
-
SHA512
505ae924d10698ac9daf7bfd0cf6aa95b947be8fa5ccbfa120d08c3a3196951eb02f14558cf0434f1976b73131f3f4fd324fd370b9c9b601c9e984f0b7cecba7
-
SSDEEP
12288:B2GTvIloofSaNIxQAJada49qg7n76sxBFFRtoOR9cHZVsmx:4Gj4LqpNJadN37n2sx5R6ORKtx
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5846767138:AAHbrIUF1epdWlFQ2_64LCd8vdF121y1XGE/
Targets
-
-
Target
0bb23fead3ba01a2ced6b97198a0a12946b4ac4e2c93a39a2286636e484a035a.exe
-
Size
611KB
-
MD5
b6c9c4471cac3642ad6c1eed4ab5aa98
-
SHA1
f0a454f210ce756984dd6ff1517852de9bdd219f
-
SHA256
0bb23fead3ba01a2ced6b97198a0a12946b4ac4e2c93a39a2286636e484a035a
-
SHA512
854f8510c764b08ef2f3908a5c842a0604c7e29f8974779f957212820f1d95f7281796cd5c0361b91c24add4f213310654e907c600a269688abfd07472d00ca2
-
SSDEEP
12288:qLXsIplAtXX7tk4/SAtSDEpGb2rtw1FnVZ2g3bCUBEM/BkT9g3:qLXsIpitXLpzSiG6rS1ZVZ2gLrBDBkTy
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-