General
-
Target
1c71c9a1f55df1eaa11402798696fa7176155fabad5f69f8778d340a911d2651
-
Size
2.2MB
-
Sample
231203-cv2alshb7w
-
MD5
07a27ce678e07245f97aea3ef3310005
-
SHA1
475db932ef060ac59584b1130521ed0990c5a631
-
SHA256
1c71c9a1f55df1eaa11402798696fa7176155fabad5f69f8778d340a911d2651
-
SHA512
3aa52830da5696f170c50d6359ebd222858ef1579e3aae4f78fd8c7705f8a351dad09918261a230e834894502a1bf2339d616d4546bc0f35571bdb82523aa60e
-
SSDEEP
49152:knsHyjtk2MYC5GDsHMxAJ4GIMqyBqYKhSVffgs54ouLwc:knsmtk2akxAJ4oqYLKhSlj2ouLwc
Malware Config
Targets
-
-
Target
1c71c9a1f55df1eaa11402798696fa7176155fabad5f69f8778d340a911d2651
-
Size
2.2MB
-
MD5
07a27ce678e07245f97aea3ef3310005
-
SHA1
475db932ef060ac59584b1130521ed0990c5a631
-
SHA256
1c71c9a1f55df1eaa11402798696fa7176155fabad5f69f8778d340a911d2651
-
SHA512
3aa52830da5696f170c50d6359ebd222858ef1579e3aae4f78fd8c7705f8a351dad09918261a230e834894502a1bf2339d616d4546bc0f35571bdb82523aa60e
-
SSDEEP
49152:knsHyjtk2MYC5GDsHMxAJ4GIMqyBqYKhSVffgs54ouLwc:knsmtk2akxAJ4oqYLKhSlj2ouLwc
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-