General
-
Target
e993a3c9d5843541d742dfd2a0603004cb24431cc152e54042056f33ab1ac9e4_JC.zip
-
Size
534KB
-
Sample
230830-w2k2ragh6w
-
MD5
ab9c6d0aa5ff0157bbf78ebaaff09cb5
-
SHA1
5e3a6ab47d3e592bc509366cce5dc60eedada093
-
SHA256
e993a3c9d5843541d742dfd2a0603004cb24431cc152e54042056f33ab1ac9e4
-
SHA512
17094d61183659f19f1edc1a9cf7303a34ca5e322dedbe0e7e294fd9177c19b11393b35675dc429a3905fec067057a3472121439ecd42a4a498a0263fcacc7b9
-
SSDEEP
12288:GyG8xiSOVfblAAJMUABsYAvxZVPCwNPx+Y+/mcts:GyG0s/AAeUAO9vxZRN5uts
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail92100.maychuemail.com - Port:
587 - Username:
[email protected] - Password:
Qwerty2020Hp## - Email To:
[email protected]
Targets
-
-
Target
swift copy 01429619.exe
-
Size
877KB
-
MD5
91cd93fba6b81b52a33be26725648ea3
-
SHA1
619c1adc65cc1e7c9cca4b7a9c38c471642512d8
-
SHA256
f96299e1c7579d62b11c5f2699e9a15bfe3d945b74c30e1bdf986c3ab60f23f1
-
SHA512
1021e380d49fac5166413b2821ff61ea0fa379448b6821328427b2645c8f4cd94780b6ff0ac5a61b2065f69ef680905136729a121f31ca5f525a1c653f50608d
-
SSDEEP
24576:Z3LpppNpppppoOQpppNpppppoOiuayAeUHe5vbZtNLS:ZqO7OiAAe1l
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-