General
-
Target
potty.exe
-
Size
247KB
-
Sample
240329-l2hlhsfc73
-
MD5
c74dd2eeea60b029cec23da01ee99d3b
-
SHA1
967f2d3c3123a1d95f560c33b2a19500bdc1dcd0
-
SHA256
0a767d5d50845280ef4249188e2c0febd96c048dce418da3c65fef20ebba6725
-
SHA512
87fb2a11bb40bbe82c161e55491b1b8707c95e9da9826af39079dea7b1947e91728781a5c8bd1d78c2cd1744dd3d32a0003582473d11dabf94527494a137a0fc
-
SSDEEP
3072:vjr9dpiueHjvD3SD3GgV1KONqzZZ72giQe5T2S7Nu9Lut:7r9dAHjvD3SD3d1cdZ7QQJS7M
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5905440472:AAH7yJYEREM-Uefb6Xv04uo_iKD7w2txk9k/
Targets
-
-
Target
potty.exe
-
Size
247KB
-
MD5
c74dd2eeea60b029cec23da01ee99d3b
-
SHA1
967f2d3c3123a1d95f560c33b2a19500bdc1dcd0
-
SHA256
0a767d5d50845280ef4249188e2c0febd96c048dce418da3c65fef20ebba6725
-
SHA512
87fb2a11bb40bbe82c161e55491b1b8707c95e9da9826af39079dea7b1947e91728781a5c8bd1d78c2cd1744dd3d32a0003582473d11dabf94527494a137a0fc
-
SSDEEP
3072:vjr9dpiueHjvD3SD3GgV1KONqzZZ72giQe5T2S7Nu9Lut:7r9dAHjvD3SD3d1cdZ7QQJS7M
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-