General
-
Target
controvoke2.1.exe
-
Size
411KB
-
Sample
230828-wza4rshc4z
-
MD5
3c235c238a38a7dc10d78f0ba080587f
-
SHA1
c3793be872f2621f25aa858391657967a749eed2
-
SHA256
11e6f0a94e14abfea4bdbde34de5d22b2428775f23a5ecf32c0382d9b4e23e0f
-
SHA512
180ac1fb17e1909041897bed7ca9301c2a4b75a251be815b6ff215e05a37aee85685fbc8b59552f956fd97a9f25ab658a4584f777b26f72caa3291c79e340959
-
SSDEEP
12288:2YdrUBonHv0ExODZoyXqqT4yX8TpiImGVeBsg:2YFUo/xmZMbMWVlg
Malware Config
Targets
-
-
Target
controvoke2.1.exe
-
Size
411KB
-
MD5
3c235c238a38a7dc10d78f0ba080587f
-
SHA1
c3793be872f2621f25aa858391657967a749eed2
-
SHA256
11e6f0a94e14abfea4bdbde34de5d22b2428775f23a5ecf32c0382d9b4e23e0f
-
SHA512
180ac1fb17e1909041897bed7ca9301c2a4b75a251be815b6ff215e05a37aee85685fbc8b59552f956fd97a9f25ab658a4584f777b26f72caa3291c79e340959
-
SSDEEP
12288:2YdrUBonHv0ExODZoyXqqT4yX8TpiImGVeBsg:2YFUo/xmZMbMWVlg
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-