General
-
Target
dc888cf68cf5288a9072df9ab7abee6fbe8195b5436e81e74182112181aff677
-
Size
549KB
-
Sample
231211-gtegnsgcf7
-
MD5
6f7761678a244483571453c9f4c51e83
-
SHA1
dea9a2db83389b86c630fade1bd930db0360c1ec
-
SHA256
dc888cf68cf5288a9072df9ab7abee6fbe8195b5436e81e74182112181aff677
-
SHA512
db4a06bced0b12b73d2d300eeec00e29707e3b32deec737c4ea6346ba9fbf9ec999f3a98a25df2d92ffac3ecfb7edf8a477abb38c5a6f7907468e01dab41d50d
-
SSDEEP
12288:lDGmZCPZwEcehSlltOl14/mNpF/2lecCSsIrJRnxUr:0mZCPpceevOCq/ECSs2nxi
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5556229164:AAG06WuQ2Ibcy5ZKb4lTSDlmionK0lTPWiM/
Targets
-
-
Target
Request_J3M4KY4.exe
-
Size
586KB
-
MD5
f9f528333ecafe75f5a1bda99f5078ba
-
SHA1
f0bad69ec4e17b2a9ea58cc2111e217bf20ebeec
-
SHA256
36c7aadbf176670afd5f3b43adc0fe552cacf641079f6b6f71f285acf0c34e63
-
SHA512
dfad66174ab7c8178143337b9dadc4afd1709ec4f9f518abd906cb4273fd0e6c4b8c63ff5f6a7dfb7e715052fc4915a9a1b3ba347b14120642cbde23b8b309ff
-
SSDEEP
12288:+3IU8S6eUdvPW4kqce1SlltOH/+/gNx1/2beQC+yvWDw8e:UItSAdvzceKjOEM/MC+yKw
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-