General
-
Target
cd3754976ede221faea878084c12f20a.bin
-
Size
665KB
-
Sample
240329-d95f9ahd96
-
MD5
26af6ff4bd21281dedbb50a760b58ed4
-
SHA1
4909f2cab661a31237832b38b22b9b7b48229e83
-
SHA256
42de17e0461d64e2bd8c3e67cb36387d866dba898cc6e18f432653da9f83a580
-
SHA512
ff027b75b4f0f0878733f6e3e601d345249ae1277e273141e469b9204d4140cf518013a510abfc83876105015f0764e11853544e6fff89ee57c081ba6422692f
-
SSDEEP
12288:pKUyOPLeo1/TARiC9SjiKysnA4yu28STXQxTljrizCNbY3ZPwaGuHiF1R5gzw:dyOaodEiqSjiKysnK0SDst63ZoFmORS0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shivomrealty.com - Port:
587 - Username:
[email protected] - Password:
Priya1982# - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.shivomrealty.com - Port:
587 - Username:
[email protected] - Password:
Priya1982#
Targets
-
-
Target
0dbd99dde1de7165ccde4c0b87b7c533fb79fb3c99e59356a23f74f939d7a32d.exe
-
Size
725KB
-
MD5
cd3754976ede221faea878084c12f20a
-
SHA1
5034bade13d439d013bd94bc856c29aba36ce3d3
-
SHA256
0dbd99dde1de7165ccde4c0b87b7c533fb79fb3c99e59356a23f74f939d7a32d
-
SHA512
31e10adde937c0f0131928c55bbfe96377c26d03bee8e17598fdbd818a859ebd2cb3e76ac9fe25c342732061774fb58a1086dcf9910da7e25225fe9addd0011e
-
SSDEEP
12288:WyW11Sh2iNw/yBLfbBMKkWudtyH62otT3nV431hP7kH0tiYR9yqg2aVmADYZr1S:IDw1G/y5fbGKRud8H62otT3G1hgM3Ro2
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-