General
-
Target
purchase_order.7z
-
Size
590KB
-
Sample
231212-s1b6nsfedl
-
MD5
23e03e7733008e720fc0527297dd6256
-
SHA1
97fa6142b112f1bc8683287711e5d2f26d670617
-
SHA256
1eed2bbece7cb87fe2548552724b0e1c5cf400a14cfba0a3fe2959d27eae49b4
-
SHA512
d6c93cdbdeeba4b7f97d096f8a6d1cb99af542178b2b4042decb85510067cdb8aec26cc9b3c0b3b047d7cecf46a44d7e2137c9eaeb6bc53cfc5a8bd726186c2c
-
SSDEEP
12288:BABlTLgT4bT0W8ry7suSmvPokVrqBs2mAYuaNc1MhAEy7wydNdQZ6:UHg0bx8r4sutvPoE5NbuaNhgs6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
kex#-rHjHM4qKk52 - Email To:
[email protected]
Targets
-
-
Target
purchase_order.exe
-
Size
882KB
-
MD5
f82b121e447bb312a0c383d78a90490f
-
SHA1
a2570c68231136bb0d7b260f906d1e5a78c25f48
-
SHA256
d61fdb59b0176c8e329052c1b577dd366f17f206b79769bf3ae56ed6d52575de
-
SHA512
cfcf833f59f3f47aea75ea62b79d5ca57fcad8e56943bb60cd4af0212baf3c6720d9f991a3dd8964a9e272b2b82f0416fa5d06988e90dc9fda2a0e56d649dc31
-
SSDEEP
12288:r6zcyAwHWZJOLMZ7vgg24T4xT0Wm6y7+uSm0POeB83mAQuaPc19LW1lVmt1XS/2E:r6TH2gK0xxm64+ut1F2fuaG35Cy
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-