General
-
Target
d17e59fd176aae98c150886fea60570b.bin
-
Size
524KB
-
Sample
230526-b5mpjadc87
-
MD5
0d07608423ab435bcc6e0e68b6b955fb
-
SHA1
e4a5ccf0bc221752a20d8b536dd41f6b427bd980
-
SHA256
b733b283ee50d714ae9289b1d375dc28978b02449504f72bb904e416c439aeeb
-
SHA512
d40626a17c265bcd98b02bfed5663a5b36fdd815d5467f3a201be47a0afc3140acb9df157f4dbfe71979e1cbef92c498b6ae2083eb6e01103b79f39671e3c38e
-
SSDEEP
12288:eT8uYz98TToUXDhWtBPa2bUs6B/cckMtEyK6:luYWP1hWrC25Mtc6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.redseatransportuae.com - Port:
587 - Username:
[email protected] - Password:
method10@10 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.redseatransportuae.com - Port:
587 - Username:
[email protected] - Password:
method10@10
Targets
-
-
Target
8086b51ee5ff64002102bf80e36b81650ba576903fc00965e1a947ae013aa9c0.exe
-
Size
775KB
-
MD5
d17e59fd176aae98c150886fea60570b
-
SHA1
b01a5d94c62b07a26721d71e296c3fcc60488c25
-
SHA256
8086b51ee5ff64002102bf80e36b81650ba576903fc00965e1a947ae013aa9c0
-
SHA512
f56f3482432628fd2b27590bd4aa5cec8903b2d6dcb3e6ffd9844d8d539aa2d9ef56ff6404e65b1d11a4024bf923461048fdd5b21751a76f7cb38e715292544f
-
SSDEEP
12288:E+nL4snOS4moTN3YNXNT5xu52vao4g4o2QDYEIo1qSZk8xT2F6oL:9O3moQ5xM2vao4afBS8te6o
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-