General
-
Target
d58e8e7d19e7408779c5f1c36a41e7eaf1a57b59501cf70820c9f32ad69fbcb9
-
Size
808KB
-
Sample
231206-bv9rbahh24
-
MD5
92889030f7857199eba7631a55f5cd3e
-
SHA1
7681f244399525f54b20f34d4a49d0cacdf3c35a
-
SHA256
d58e8e7d19e7408779c5f1c36a41e7eaf1a57b59501cf70820c9f32ad69fbcb9
-
SHA512
47c0d8dca7225f2da2558b81a9e07c897a7280fa53810a1507d3f2c1295f82d7a992e3a96cdc9fcf216ba929f0939b8b4d772f74f4c163fe4fb64f282510b2ee
-
SSDEEP
12288:Q2GAczHQ4fzRpSNAZ+OTuUa8n+23S6KXuf1tdw64BIeC+YnEc5ZCNXwPH2gKzLNo:MzHQ2tpt+OB+IwE1t3nLte8HiBfj/3I
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.issltd.org - Port:
587 - Username:
[email protected] - Password:
iss123 - Email To:
[email protected]
Targets
-
-
Target
Audit_XINHAITONG22_1004738_1_2023092210.exe
-
Size
857KB
-
MD5
64baca6856ba84fe379eb4d720859edc
-
SHA1
a234caa5425fcbc4e783dd00722156e533bd6def
-
SHA256
ab3eb849490834407657e205832591cfa3c3504ed9373bf53396015d62b9e549
-
SHA512
53449f2ed2e397adadb3a48d561c864734961c40392c2f8f3a8ed6c84afd6db8008fc633405a065cc07a51f8396015f7bb8b3b7c1c4cb8aecbbc1a588b5d53db
-
SSDEEP
12288:DO5nF8pREGHTbSGWJ7Usocar3S6KMvbPt1w6+BIe4+YnKc5lCzXwPH2gYDMID:Km39s2LwMzPtNPLPe8H6MI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-