General
-
Target
4ac227785c3f1cdd4b05a9d2ebb94e88a4af65303833c4dbfc35113dc21c97aa.exe
-
Size
669KB
-
Sample
240328-cp76zada4x
-
MD5
947ec2135e371d80d87ca34a867efe29
-
SHA1
6c58ddffec036207692a8c65ebc844d3ab3aafcf
-
SHA256
4ac227785c3f1cdd4b05a9d2ebb94e88a4af65303833c4dbfc35113dc21c97aa
-
SHA512
c7f556fd7ca29906873414d28eb0e9217a767544a861deb971b5ab5b3fa7b4dc8c1a37224e383e324389c0cffd34a5a5fc362fcd570e5fa18eb47b9f1f6dd43a
-
SSDEEP
12288:RkXayww0J7RG6YnakFrTtJ7IomjXXIR+w8/6ODi6dU3bAil+8I4:WajBtN+aOrTtJ7IZ4EwQh1d9iot
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mbarieservicesltd.com - Port:
587 - Username:
[email protected] - Password:
*o9H+18Q4%;M - Email To:
[email protected]
Targets
-
-
Target
4ac227785c3f1cdd4b05a9d2ebb94e88a4af65303833c4dbfc35113dc21c97aa.exe
-
Size
669KB
-
MD5
947ec2135e371d80d87ca34a867efe29
-
SHA1
6c58ddffec036207692a8c65ebc844d3ab3aafcf
-
SHA256
4ac227785c3f1cdd4b05a9d2ebb94e88a4af65303833c4dbfc35113dc21c97aa
-
SHA512
c7f556fd7ca29906873414d28eb0e9217a767544a861deb971b5ab5b3fa7b4dc8c1a37224e383e324389c0cffd34a5a5fc362fcd570e5fa18eb47b9f1f6dd43a
-
SSDEEP
12288:RkXayww0J7RG6YnakFrTtJ7IomjXXIR+w8/6ODi6dU3bAil+8I4:WajBtN+aOrTtJ7IZ4EwQh1d9iot
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4.
-
Detects executables packed with SmartAssembly
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-