General
-
Target
b457da14609fc8020ecfb60e38e40ebae7e5c7d5ec5d2cdfd6efe28993003343
-
Size
430KB
-
Sample
231208-clp6zsgf75
-
MD5
48f711ef249aea24262173e584b56cc0
-
SHA1
b584ef035a25329bc98d064730ee685481cbf36a
-
SHA256
b457da14609fc8020ecfb60e38e40ebae7e5c7d5ec5d2cdfd6efe28993003343
-
SHA512
5b587eff354142e0dc10aa8e1dad6c2bcb649c211b187bbf1c573941c6a05b9079f00651920f430ef86926aa2c06f79cf3a60fb4c0abea482abeda1329469bf5
-
SSDEEP
6144:eKiAnmOeYfCjXwVKXCPVmR5Q64dIhBzX+8PkYdFitqsAHHxZSFXHT5TyibAf8Sa3:nmwK7jFu64GHzNYOHxZSFXIgA0P
Malware Config
Extracted
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
O4{S#5MLFM!Z
Extracted
agenttesla
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
O4{S#5MLFM!Z - Email To:
[email protected]
Targets
-
-
Target
b457da14609fc8020ecfb60e38e40ebae7e5c7d5ec5d2cdfd6efe28993003343
-
Size
430KB
-
MD5
48f711ef249aea24262173e584b56cc0
-
SHA1
b584ef035a25329bc98d064730ee685481cbf36a
-
SHA256
b457da14609fc8020ecfb60e38e40ebae7e5c7d5ec5d2cdfd6efe28993003343
-
SHA512
5b587eff354142e0dc10aa8e1dad6c2bcb649c211b187bbf1c573941c6a05b9079f00651920f430ef86926aa2c06f79cf3a60fb4c0abea482abeda1329469bf5
-
SSDEEP
6144:eKiAnmOeYfCjXwVKXCPVmR5Q64dIhBzX+8PkYdFitqsAHHxZSFXHT5TyibAf8Sa3:nmwK7jFu64GHzNYOHxZSFXIgA0P
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-