General
-
Target
85e2f1571b7a214c97af1f1ed776f2f3d8958abfcc7301d14f4d435984287af9
-
Size
741KB
-
Sample
240111-btt98scgh5
-
MD5
9341b17fea0b6ed0eb2c904af804f77c
-
SHA1
96c99433699c39918f16151b2c24a1d5780d455c
-
SHA256
85e2f1571b7a214c97af1f1ed776f2f3d8958abfcc7301d14f4d435984287af9
-
SHA512
eb6d26429a5a56432b3ca1521ba091a915ec269a8080b0b4c57dd1db4b3e7f91c7687bf379736dc69856942e5d82b72f008d254df88f7c01113a0d7df4cc7ad3
-
SSDEEP
12288:xkCQy/VZw/NwxgO43NvmcXNYLmVWXRH5wIaZZAvhq391PaOvFfV:Ojy/OiYceuy85AZGvUvpV
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6665708114:AAGlqK2_JNlXxxhbSB4vkXIExuLTH0TPR9g/
Targets
-
-
Target
85e2f1571b7a214c97af1f1ed776f2f3d8958abfcc7301d14f4d435984287af9
-
Size
741KB
-
MD5
9341b17fea0b6ed0eb2c904af804f77c
-
SHA1
96c99433699c39918f16151b2c24a1d5780d455c
-
SHA256
85e2f1571b7a214c97af1f1ed776f2f3d8958abfcc7301d14f4d435984287af9
-
SHA512
eb6d26429a5a56432b3ca1521ba091a915ec269a8080b0b4c57dd1db4b3e7f91c7687bf379736dc69856942e5d82b72f008d254df88f7c01113a0d7df4cc7ad3
-
SSDEEP
12288:xkCQy/VZw/NwxgO43NvmcXNYLmVWXRH5wIaZZAvhq391PaOvFfV:Ojy/OiYceuy85AZGvUvpV
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-