General
-
Target
15d5c656720c532049170bcb0add018ea833c8560ab41225d34ba4a3cfcbfe4c
-
Size
649KB
-
Sample
240328-bwqptscf5w
-
MD5
d11e1abe361c5eb59a74d008b4a0d1d5
-
SHA1
aa2125a2efbdb6d2311b0c28c2e052ff023ac93d
-
SHA256
15d5c656720c532049170bcb0add018ea833c8560ab41225d34ba4a3cfcbfe4c
-
SHA512
cfd6da48f6f1c71aa581a2befe4a75aad531295ebeb953a86777e5042e1648e828d26f0bf947e66fda51395f089538eb1f347de7446d44f6b78e06076f1bb4c3
-
SSDEEP
12288:L1MG/Ysu4U6+n+J2hiYgA+ZON89hrJP/tc9JaGFbmCzfZ+SSJwAdu:L17lU5G2sYgHZb7P/2JaGNxfgSkfu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.scannerhacker.com - Port:
587 - Username:
smtp@scannerhacker.com - Password:
VH%xMhCW$I[l - Email To:
2ndfile@scannerhacker.com
Extracted
Protocol: smtp- Host:
mail.scannerhacker.com - Port:
587 - Username:
smtp@scannerhacker.com - Password:
VH%xMhCW$I[l
Targets
-
-
Target
NewOrder957.exe
-
Size
683KB
-
MD5
e8186b2f499c72caafb1ea43430cf56b
-
SHA1
d28d8915ff14216581018febabddbd669150fd02
-
SHA256
0ad2b0a3e55c49973e7a935c3daf318d015ebd35e4362c3a4556cccffdda6b45
-
SHA512
a01c0bbf2cc97321e8c8748f7b1faa79fa0301f09045752761dd80580d41f77f78b63f6306cf778c3181e43e0ffbb2d022cb883b482cb1c9508c8b62c07c8548
-
SSDEEP
12288:6H2iNlw07DpLJ2xiY9kgJAWLhByJilNJ89+bGgC/yrCmCzf/+SS13NxI7y9bOCkR:U1XTDp12cYB1ryQfJ8QbGf/yrCxfGSiq
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1