General
-
Target
BL.zip
-
Size
590KB
-
Sample
231121-k1k5kseb6s
-
MD5
f6f29e17a36d3b08bc218e8c0025c3b6
-
SHA1
aecf9964e3f10e19a075202a1e2798c69bc97886
-
SHA256
5d00fd7e4adb5a1561f847b7466ab44b3e652bfe2b0ea30d1240dff1ac564ffa
-
SHA512
ddb5fbb68ef1722ccda280ba123bc408490175351aaaba9173c95267dafb63940c3b4483d5d60a5d20b7c06a484716847ac71b3d18e636ec3b7b0d81cfd11519
-
SSDEEP
12288:Ed1UuB7xWL3HCWv7LkzKB4+grfxzSbKePKs5TYzEQL/grT:UM3tv7LxLgNzqVT+j+T
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.premiermotor.com.bn - Port:
587 - Username:
[email protected] - Password:
e3Q9hj?1 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.premiermotor.com.bn - Port:
587 - Username:
[email protected] - Password:
e3Q9hj?1
Targets
-
-
Target
BL.exe
-
Size
639KB
-
MD5
f174b1148905da35a219d48ef3d5462a
-
SHA1
848cd5ce8791e273c2ba6e94c3c472a9b10b9887
-
SHA256
585d1081bf6b4206396336082e0dffbaaa06dfd5df295a43ffeb84ddefb62f20
-
SHA512
c62fa2b18715d659645f893aea1b002bc4387f2f4976454e848ad6a931c684b9a1941b7d38155b192af6e5bd534f906dca3149d16e441aa4a21327aaf5edacad
-
SSDEEP
12288:nu9G5Zux6LaVKRugcpjfIgRNxLobiePKsDVghJ4:u9kZkQaqurpjQgBLGpVSJ
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-