General
-
Target
f37a44bc37e99e96a9c7b51513c2c1198cee36538477934c30dd697cf06660a0
-
Size
608KB
-
Sample
240319-bqm2rade48
-
MD5
22032862757bf94ea600cd3aaed2e04d
-
SHA1
610e978faad42edd55a94a6b8a42bd302beefd97
-
SHA256
f37a44bc37e99e96a9c7b51513c2c1198cee36538477934c30dd697cf06660a0
-
SHA512
9624280898f7696bdb6c604de5c04377023a7ff5ba7610934fda3c97fb1d499b4bca671464b75f8f8fc942809884a4958e232dd9d7c805b005336fb34551b8eb
-
SSDEEP
12288:JbMRxhZ2mFuYd0xE2+Nc1F3/pNx3Vvolc5MUYb5cR64ofWg7HZuEE4:NMRxhmNx+u/pH29b5cMX/XE4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.childs-plays.com - Port:
587 - Username:
[email protected] - Password:
yuttrge7v - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
smtp.childs-plays.com - Port:
587 - Username:
[email protected] - Password:
yuttrge7v
Targets
-
-
Target
DHL9407155789.exe
-
Size
633KB
-
MD5
6f6c752642671dcb19dd46c635ba7010
-
SHA1
09283babfeaedb5755db2b9086b211d2eeecc0d3
-
SHA256
7ab78e7d259ab104796723c7246268165dea4e0b3fe7dd377a55a51108710030
-
SHA512
60033f2ef981a26452416c478809e56ce040308d2a252eb5f785dcfa7e97287255fa76c7a4c11bddaf548453fd600a5ecd4d8899575ba7a79061bbaf45a0f04b
-
SSDEEP
12288:O7gRhUApwZWKFuVud+ERJ153jpdxNVvgje5Muyv54V64Uf2gMV4mDc2Pu:O8PwwAdfpjpN6hv54ATvM2QG
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-