General
-
Target
72f02b6a2b8fd2a73ae8715fcc2323ca.bin
-
Size
1008KB
-
Sample
231011-mevs1age5x
-
MD5
fa48d94937448e3c0c4bfa62fd2e9332
-
SHA1
caf755d7525a15fc6d7d5e170ca37f0dba2439a1
-
SHA256
1335d37ff619f7760bea092576c9c7e064385eaa93edd8168eed847836b4679f
-
SHA512
29ed943669ca0c47bf9f81815d191b2dedff812876d5e586d1c3d58d325504158cddc269245f75f172d7608e4f3fbeadbcb402a79a1e79073c09db22b01e68cc
-
SSDEEP
24576:W8r8SR9p3iQB65NWqtl0JhSLG9+XzUToKFP+09:WWVH37B6GTuSAXzUToS
Malware Config
Targets
-
-
Target
b0fbd35f04ce341b8e14ad03684aa7a5fbc7525d163f38bf43a0f6041edeb3c8.exe
-
Size
1.1MB
-
MD5
72f02b6a2b8fd2a73ae8715fcc2323ca
-
SHA1
d840ba097b8a157a86b823e4132818a122125381
-
SHA256
b0fbd35f04ce341b8e14ad03684aa7a5fbc7525d163f38bf43a0f6041edeb3c8
-
SHA512
c6b6c54e525503f89395fd76be6f54bf2c898c151a32252ac1e4d04cd39f383992726c43e615cfa149777513bc3fc18b8bd5ce4f73f86f179ee70ef9f4e2b847
-
SSDEEP
24576:CMIwO43ryC3ASF+7Azwr2skstJ6Y2Qc6ZsifO41JdlEQgeGsWML2l:Cu3Ax71rFnJl2Qct8zdltYsW3l
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-