General
-
Target
c6ca71a6099738f784dd5d98284f0cbaabfd9c869edcd40f5a307ab937f2a7bb
-
Size
694KB
-
Sample
240329-bn4aysec49
-
MD5
93e133deca5851daeb805df4179f3f7d
-
SHA1
db3af172e21f93dde8cd1041ac4db458e79120b2
-
SHA256
c6ca71a6099738f784dd5d98284f0cbaabfd9c869edcd40f5a307ab937f2a7bb
-
SHA512
6c7c5c90e8add004f1f7971992707027954ca2ba14970c3fcc24b35130782b2303d18d98b1bcea988935d53a877963a636c4d241d6c63c670b4f19ea871bb49b
-
SSDEEP
12288:l/oc0YOwqOpJkxR17TCR+RVDueQr9w3rFV2fC/S253Kkk5nq7Sdt/A0gvhrdkbza:ygO7SeP7A+vPa63rFVUCT25nq2dgvhZu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
@qk%xm*3 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
@qk%xm*3
Targets
-
-
Target
c6ca71a6099738f784dd5d98284f0cbaabfd9c869edcd40f5a307ab937f2a7bb
-
Size
694KB
-
MD5
93e133deca5851daeb805df4179f3f7d
-
SHA1
db3af172e21f93dde8cd1041ac4db458e79120b2
-
SHA256
c6ca71a6099738f784dd5d98284f0cbaabfd9c869edcd40f5a307ab937f2a7bb
-
SHA512
6c7c5c90e8add004f1f7971992707027954ca2ba14970c3fcc24b35130782b2303d18d98b1bcea988935d53a877963a636c4d241d6c63c670b4f19ea871bb49b
-
SSDEEP
12288:l/oc0YOwqOpJkxR17TCR+RVDueQr9w3rFV2fC/S253Kkk5nq7Sdt/A0gvhrdkbza:ygO7SeP7A+vPa63rFVUCT25nq2dgvhZu
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-