General
-
Target
14ab02f89637e8b8e65e1128e06347c3dc55e7fb3dac1b0a1bd158de833d59cd
-
Size
717KB
-
Sample
240328-bsgbzsac59
-
MD5
a8a92d4b136ae58b2d39213efcdcdbf1
-
SHA1
a97a0f59850aa67863316b6b881f0d0624fcb67c
-
SHA256
14ab02f89637e8b8e65e1128e06347c3dc55e7fb3dac1b0a1bd158de833d59cd
-
SHA512
ca1590d91691dc7b127ba908667305ff4b67a8c5f7c709cefd31107dcea1aa65bb26fc5e3a288cf14e857124901ccfb391ac78d48544ed996653687dfb61ac10
-
SSDEEP
12288:3KoO3mwQxR0KyCVMB+d8MzsePsZ0wo9LPiYujz6S1tKcCr3yM:3csxR0KyCVMBh0m7o59Sv
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
Kingdom12345@
Extracted
Protocol: ftp- Host:
ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
Kingdom12345@
Targets
-
-
Target
14ab02f89637e8b8e65e1128e06347c3dc55e7fb3dac1b0a1bd158de833d59cd
-
Size
717KB
-
MD5
a8a92d4b136ae58b2d39213efcdcdbf1
-
SHA1
a97a0f59850aa67863316b6b881f0d0624fcb67c
-
SHA256
14ab02f89637e8b8e65e1128e06347c3dc55e7fb3dac1b0a1bd158de833d59cd
-
SHA512
ca1590d91691dc7b127ba908667305ff4b67a8c5f7c709cefd31107dcea1aa65bb26fc5e3a288cf14e857124901ccfb391ac78d48544ed996653687dfb61ac10
-
SSDEEP
12288:3KoO3mwQxR0KyCVMB+d8MzsePsZ0wo9LPiYujz6S1tKcCr3yM:3csxR0KyCVMBh0m7o59Sv
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-