General
-
Target
http://bitbucket.org/mounmeinlylo/rickirollin/
-
Sample
230614-3k4wvseb2x
Malware Config
Extracted
https://firebasestorage.googleapis.com/v0/b/fir-8c14f.appspot.com/o/rumpe_js.txt?alt=media&token=0ebb3747-9f9d-427c-a6fd-d0c057ba176e
Extracted
https://firebasestorage.googleapis.com/v0/b/fir-8c14f.appspot.com/o/rumpe_js.txt?alt=media&token=0ebb3747-9f9d-427c-a6fd-d0c057ba176e
Targets
-
-
Target
http://bitbucket.org/mounmeinlylo/rickirollin/
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-