General
-
Target
NEAS.7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976cexe_JC.exe
-
Size
678KB
-
Sample
231006-r2pmqadb51
-
MD5
db82b1e54d378158c2873fd90f30880a
-
SHA1
75d28d710180b899847f35de4857952cde5d97ba
-
SHA256
7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
-
SHA512
f9c8402cc418c9f9dbfec2b4ae6d5e583e2f89b4a663a079e2c2753b75cd54b553c1fb01b2e28f46661d69e7ba12e6f6b62edc0750bb92e6e9d14b7e2b5b84b8
-
SSDEEP
12288:2iMl/jysa+SRohg0KbwQZvwFRQkFvUPaIONAqptrBm1k5Bfa4SliEv3:kLysa+SKeBnMGkFmaISjI1kjfuBv
Malware Config
Extracted
agenttesla
https://discordapp.com/api/webhooks/1151596988136181840/QdgulOKX9Onw_VaSQk6b3c5Sm7_Mt-0_huxqLUgO5ybBxQL_jiC6-2Afk2vAsJOZSANp
Targets
-
-
Target
NEAS.7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976cexe_JC.exe
-
Size
678KB
-
MD5
db82b1e54d378158c2873fd90f30880a
-
SHA1
75d28d710180b899847f35de4857952cde5d97ba
-
SHA256
7e5e3c49e0bcb2e16b86e870f591feca75b0d7007ed5851ecdfb70fa3d06976c
-
SHA512
f9c8402cc418c9f9dbfec2b4ae6d5e583e2f89b4a663a079e2c2753b75cd54b553c1fb01b2e28f46661d69e7ba12e6f6b62edc0750bb92e6e9d14b7e2b5b84b8
-
SSDEEP
12288:2iMl/jysa+SRohg0KbwQZvwFRQkFvUPaIONAqptrBm1k5Bfa4SliEv3:kLysa+SKeBnMGkFmaISjI1kjfuBv
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-