General
-
Target
28ed8ee9ed926ba3a352a50c8d398c3ae9fa3ae31eb8e251a51290fabdeb7e4e
-
Size
657KB
-
Sample
231208-b18q7sge82
-
MD5
e5101721b750c94cd9cf8b00ff2c3b74
-
SHA1
9ba2d826de667de9d39676d182f47d8b5f46c3de
-
SHA256
28ed8ee9ed926ba3a352a50c8d398c3ae9fa3ae31eb8e251a51290fabdeb7e4e
-
SHA512
dd49d745cc88f44de9e3c6af33abf0ee60b68d09f742514dd0f09ad7450e85ae77b119d0667063093390fa3c12ad0e087c58f85cb45f95426b7c7884142055d9
-
SSDEEP
12288:zhkZ5zorNmfojSAijri5MHgBrxaIXzqe2w7yHGqxUb+FHV2sNwsII1kDY:zK/zorNm1u5LhxBDq6wGJbI+sI8kDY
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.coaatja.com - Port:
587 - Username:
[email protected] - Password:
consuelo63 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.coaatja.com - Port:
587 - Username:
[email protected] - Password:
consuelo63
Targets
-
-
Target
28ed8ee9ed926ba3a352a50c8d398c3ae9fa3ae31eb8e251a51290fabdeb7e4e
-
Size
657KB
-
MD5
e5101721b750c94cd9cf8b00ff2c3b74
-
SHA1
9ba2d826de667de9d39676d182f47d8b5f46c3de
-
SHA256
28ed8ee9ed926ba3a352a50c8d398c3ae9fa3ae31eb8e251a51290fabdeb7e4e
-
SHA512
dd49d745cc88f44de9e3c6af33abf0ee60b68d09f742514dd0f09ad7450e85ae77b119d0667063093390fa3c12ad0e087c58f85cb45f95426b7c7884142055d9
-
SSDEEP
12288:zhkZ5zorNmfojSAijri5MHgBrxaIXzqe2w7yHGqxUb+FHV2sNwsII1kDY:zK/zorNm1u5LhxBDq6wGJbI+sI8kDY
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-