General
-
Target
iwantthisgirlsleepwithmeforsucharealoveicanunderstandthewonderful_____lovetoseetheallthroughloverpoint.doc
-
Size
62KB
-
Sample
240307-srjjdsed65
-
MD5
e0bc364904005b4b71bdb5a9a74088ac
-
SHA1
8c322c12f7661e77b382a6d53ceafd3dce8c16c5
-
SHA256
d9e3a591c7151aeefe18a1d1c36ca895c7e91979ff491bfd7b629d4e5f4d1c89
-
SHA512
fa14a02903d04e4ffe22d5881f29b02fb12053aba2c01727ba8c493decac352064ce17751de2be1cea24bdc7dc5e47722dc6607aedfc566e2b55c48e57917528
-
SSDEEP
768:9kb1zDeZmWJHEZZMMJbqU5PY704JS+Nvrz9cF9ky0B5:9kb1F6s5bqUdEdS+Nv/9Mn65
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.elquijotebanquetes.com - Port:
21 - Username:
[email protected] - Password:
kFxADjwNBm$_
Targets
-
-
Target
iwantthisgirlsleepwithmeforsucharealoveicanunderstandthewonderful_____lovetoseetheallthroughloverpoint.doc
-
Size
62KB
-
MD5
e0bc364904005b4b71bdb5a9a74088ac
-
SHA1
8c322c12f7661e77b382a6d53ceafd3dce8c16c5
-
SHA256
d9e3a591c7151aeefe18a1d1c36ca895c7e91979ff491bfd7b629d4e5f4d1c89
-
SHA512
fa14a02903d04e4ffe22d5881f29b02fb12053aba2c01727ba8c493decac352064ce17751de2be1cea24bdc7dc5e47722dc6607aedfc566e2b55c48e57917528
-
SSDEEP
768:9kb1zDeZmWJHEZZMMJbqU5PY704JS+Nvrz9cF9ky0B5:9kb1F6s5bqUdEdS+Nv/9Mn65
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-