General
-
Target
NEAS.bf934681200971a6ae822aa59d0cbb4da25e5f225731f99426f4bb1721063bde.exe
-
Size
716KB
-
Sample
231202-l9p1kabg67
-
MD5
27177294843b989dfe02bfb64622212e
-
SHA1
9584be4dccf2c5067629d208490040223ad98f80
-
SHA256
bf934681200971a6ae822aa59d0cbb4da25e5f225731f99426f4bb1721063bde
-
SHA512
73a8a029b50fcd256f578858f24cfead91287e97c38dd2fa4764d2d94012b17abb4b0a64ca9e139c34f21481cd358d2c00ae4865b490cf6870c5cfe655a5bd69
-
SSDEEP
12288:RVdIOcaKXPuUs/IbknLJfUhhNA+xFR8wuaVCQS3ObHe7itlEEM:RVlcae141chha+FR8wvV9e7mlEEM
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
sg3plcpnl0195.prod.sin3.secureserver.net - Port:
587 - Username:
[email protected] - Password:
V#[email protected]&Qo! - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
sg3plcpnl0195.prod.sin3.secureserver.net - Port:
587 - Username:
[email protected] - Password:
V#[email protected]&Qo!
Targets
-
-
Target
NEAS.bf934681200971a6ae822aa59d0cbb4da25e5f225731f99426f4bb1721063bde.exe
-
Size
716KB
-
MD5
27177294843b989dfe02bfb64622212e
-
SHA1
9584be4dccf2c5067629d208490040223ad98f80
-
SHA256
bf934681200971a6ae822aa59d0cbb4da25e5f225731f99426f4bb1721063bde
-
SHA512
73a8a029b50fcd256f578858f24cfead91287e97c38dd2fa4764d2d94012b17abb4b0a64ca9e139c34f21481cd358d2c00ae4865b490cf6870c5cfe655a5bd69
-
SSDEEP
12288:RVdIOcaKXPuUs/IbknLJfUhhNA+xFR8wuaVCQS3ObHe7itlEEM:RVlcae141chha+FR8wvV9e7mlEEM
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-