General
-
Target
a9c38bfb583207e1f239d6b0d5ebd88c0e513de0b3191a3384278919c4335d29.zip
-
Size
22KB
-
Sample
240310-gqw8baeb91
-
MD5
69b62484b2e72036e6351beba3655b0b
-
SHA1
568d68db9a2871a8b0f80fb3a30f28c1058fd534
-
SHA256
ad5fa5366d8678ef3f45e8d34b0ef737fe7c8de55bd80595c39c268e20486a37
-
SHA512
23c288a78cb7778de8dcd63dfe84dbad628ffec9127747b7b58211a287de52eb14c0669b35e751b234b46075a3aa6ae05e6befe8edd8dfa8de38b3aaf2a8cdf6
-
SSDEEP
384:DjjSd4vlXi5WvljA+2LFToyE7nwqE/OSHUWUTuWX1hOxOK2CdbsePmLjqQu9CCmy:D/44vcWvljZmxU7XlQl8OQuUCi2d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
5662205aceACE@#$ - Email To:
[email protected]
Targets
-
-
Target
a9c38bfb583207e1f239d6b0d5ebd88c0e513de0b3191a3384278919c4335d29.doc
-
Size
116KB
-
MD5
db2424da91067723c22e76698958d7e7
-
SHA1
2b3d5980e287b1e987e88affd62de07adba21327
-
SHA256
a9c38bfb583207e1f239d6b0d5ebd88c0e513de0b3191a3384278919c4335d29
-
SHA512
d297677f01f3edb3f1522e66b03a911270f6091ab7d9689a89c5946801175812f2ef58a8e70c2e787038c17aee7de2727eb8f36f758f11cc6067670256ceab5f
-
SSDEEP
768:/wAbZSibMX9gRWjtwAbZSibMX9gRWjtwAbZSibMX9gRWjcmbffWoQoDRfIxeGeSH:/wAlRkwAlRkwAlRFmbfeoQoDJIee5t
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-