General
-
Target
2554873578B0BF2BABB2098304DD6FBDBE69AA5F628DF8D28F13709EE21D163D
-
Size
1.5MB
-
Sample
230518-q279dsae4v
-
MD5
daa3ef1fc8f2064e806bdcdcce46be20
-
SHA1
2b9efa3af9a95ff9f874b0cc620bbf47c619db86
-
SHA256
2554873578b0bf2babb2098304dd6fbdbe69aa5f628df8d28f13709ee21d163d
-
SHA512
9dea9cbb2c98ce0d7e6ec96ba609862d580b3b5843af7b7c81e0f8b96602934aff824e7bf8821102ddcf339c82d9c8c6ce4f47c35f8eeafcb1df1034f4325b73
-
SSDEEP
12288:kMuOAqXdmDjWAnzBmL7a14CwH9CcQc5nWdGwLNMMtqEoV3bDtCatnP9ncEdzz1K1:WC0zqlHUcQc5nWdGEMM4ECPn1bv
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
stilgar.disena.pl - Port:
587 - Username:
[email protected] - Password:
kadry12#$ - Email To:
[email protected]
Targets
-
-
Target
SW768453.EXE
-
Size
982KB
-
MD5
c4accb4dda30a9f0231d6811d1e847e8
-
SHA1
01c7948558032f32a12dfd96fce39105c1b6b5b7
-
SHA256
95c803105f7876b44acc5612445686ce43d4eade6c234fde0f79ddf49f06a889
-
SHA512
749c51c90016508a80a7c0f9482bfae465dc5df21b358c138e182d9a58efd569048a913c5ddbd0873e22e325a2cecb5e00a766fa52635d9fa18642dcf6b40ddd
-
SSDEEP
12288:EMuOAqXdmDjWAnzBmL7a14CwH9CcQc5nWdGwLNMMtqEoV3bDtCatnP9ncEdzz1K1:2C0zqlHUcQc5nWdGEMM4ECPn1bv
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-