General
-
Target
IFE Gmbh,and Engineering Request for Quotation (RFQ).rar
-
Size
2KB
-
Sample
230707-h5hh5sfg28
-
MD5
459a79b6583f9c4cfc2fc3d5df6f7988
-
SHA1
d955bf366cbd1a8115c44782e33591930ebacaa5
-
SHA256
2b94576fd11ef2c01df19e1170274e70e5c63dc307959b6470a94df6d5b8d823
-
SHA512
a2e89401e70aa823897db8288c5b170a987ed237334251fcf026d03096eaf58fd34bb854e4fbcb5ac924b734ba6e7ea44503783b7280f073a6cbf52568d56876
Malware Config
Extracted
http://cryptersandtools.minhacasa.tv/e/e
Extracted
agenttesla
Protocol: smtp- Host:
mail.seylan-lk.icu - Port:
587 - Username:
[email protected] - Password:
@=~Uk=x~G-ua - Email To:
[email protected]
Targets
-
-
Target
IFE Gmbh,and Engineering Request for Quotation (RFQ).vbs
-
Size
319KB
-
MD5
9024ed9423885c42335a151dfcefc576
-
SHA1
79e677b68313d7866199bd1b48e39ec0fed164df
-
SHA256
bdc3b394b6fa647e13f3b728786c14a58e44af9f174563550a7bab578303d1c8
-
SHA512
4ef549b5f61398fbfaaa213992acc64de52febff9fefc0310b360e25dff34535117278a341e6dd521e07b880e9db6c7f4476a9aea6fad51a863e8dce7af4139b
-
SSDEEP
384:zBBcRvxarYgnF600/tKx3y4ZJDlIh6dJhq:zBBnq6DlIh6dJhq
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-