General
-
Target
OHMS.exe
-
Size
1.1MB
-
Sample
231011-yvgf4aac4y
-
MD5
04ea0da6b921494dd73f396ecfe1de5d
-
SHA1
bb082c74dd2297472ee4855f5400610358a775ed
-
SHA256
db5eb79f5123b64dee1703eca26c91c3e4caa69b4515293778962c54eaded05d
-
SHA512
b853ce633f9f6796419324897ab80bc9236ed4ab8447a5d6d7cdb66ee9f0392207fab57c9ce804e01231fa2e8da7b0a20405b27ba026d985e16d4e71776646df
-
SSDEEP
24576:lz2Vk+YQNRfO2w9aiXjvxNe0O0w8B63L+q1Kj1:laVNYCG2w8ibe07U3L+q
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
kOOdr$f8
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
kOOdr$f8
Targets
-
-
Target
OHMS.exe
-
Size
1.1MB
-
MD5
04ea0da6b921494dd73f396ecfe1de5d
-
SHA1
bb082c74dd2297472ee4855f5400610358a775ed
-
SHA256
db5eb79f5123b64dee1703eca26c91c3e4caa69b4515293778962c54eaded05d
-
SHA512
b853ce633f9f6796419324897ab80bc9236ed4ab8447a5d6d7cdb66ee9f0392207fab57c9ce804e01231fa2e8da7b0a20405b27ba026d985e16d4e71776646df
-
SSDEEP
24576:lz2Vk+YQNRfO2w9aiXjvxNe0O0w8B63L+q1Kj1:laVNYCG2w8ibe07U3L+q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-