General
-
Target
5ed0148883d306e533da4736ddcd1374212beb7e0ee53461cb7a3f07a162a92c
-
Size
554KB
-
Sample
231208-c55e1sab5w
-
MD5
bcd4ada0dd069980a2c609c6bcf3d386
-
SHA1
1a167df3ec037745775804b8ec26fab5e2fba005
-
SHA256
5ed0148883d306e533da4736ddcd1374212beb7e0ee53461cb7a3f07a162a92c
-
SHA512
e9c56801d7268ff0eed3170717cc51edcad8dec40fe43655d49aa50deb06103a0da94f178353725c91a33bec43c2ae2f00c277c315ba7296fe616f38c5bdf624
-
SSDEEP
12288:+YMA+sfkkFAbLXgGtR2vu1u/sgPNJ3V4K5W:ZRDWXL2vb0ET4K5W
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
kV$bSqJ1 daniel - Email To:
[email protected]
Targets
-
-
Target
Invoice.exe
-
Size
603KB
-
MD5
3552552714e612e9c9bef9c2684b9341
-
SHA1
a547d614934e54d862e7d18b31a18cea0227669f
-
SHA256
16b256209f831283dae3df4c0accba88f2c40181efda89a644e2948bb4d7c8dc
-
SHA512
906bedfd82ae522e8a48a174ce3abfb7eb2cd5b97f77ffb8afe0f85a723e616a61b23568f0abb97b87800a4e90cda0b88a2914c5363daba973acd7c1b9df65b1
-
SSDEEP
12288:tBqW3HA+GP0C5vkEFR7LOGJXWSNhScAueH5qzr:t7kJ58EFNWGhvkq
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-