General
-
Target
HUGEWD23ED.Gz
-
Size
657KB
-
Sample
240329-v1bw1seb55
-
MD5
ce6a619f89b55a385f027ee585222809
-
SHA1
f9316f5f4cd9b3e4d655775536347cce8aa3c0dd
-
SHA256
c4a9e68cff19b24d6f730066c0fa83d7c1ce7216ccb8daddfd08c0b44fc1094b
-
SHA512
c7f2b686a1c0905e34ec7c9917927c15ce2ee2891f07b0043dfe48f934389bba91446112f151fa76ef70b8d35d9ef8242ab31a87d122db027bdb84d074a0cbf5
-
SSDEEP
12288:DLeYFJVB3t7h+tzuLKo92wAsvxppgDss6QX67mLQqAwj+8S:veYlBAgV9zAMEDsrKQ+m
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.daiwalmi.com - Port:
587 - Username:
[email protected] - Password:
YIxs6.PYofyf - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.daiwalmi.com - Port:
587 - Username:
[email protected] - Password:
YIxs6.PYofyf
Targets
-
-
Target
HUGEWD23ED.exe
-
Size
771KB
-
MD5
834578ff3619e6710209f71f9f140511
-
SHA1
55553cde2ea2da98d476999cf191d8930916c3cc
-
SHA256
6c9a1902fbe6279ed813af09e2f4820aad4f8555b25796f9805179cf900f6aaa
-
SHA512
12c2ef1200fd85e3836fbd25265ed3b675a1aec702c3e05b09c2047dc77aa77ddcaa0bdd482f97f0229a90dc1ce2fcb142d225deb01f5397cafd87b5ac359428
-
SSDEEP
12288:seLK1Mo/nUws7AOU6sTe5Ey61YCIvM0GVhonboGR2Hw30K:seiMoUH7ABBPikjsboGkQ3
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-