General
-
Target
4c119a168b8b7b7676a510f7155807faaea3b328cb9634e5d2e4eaecd4659b41
-
Size
667KB
-
Sample
240330-bngrysdg5x
-
MD5
3f04764de9a6213bbe4be5ad91f05685
-
SHA1
01bc3f542fe8a03432298476d5ca8d42c3f60eb5
-
SHA256
4c119a168b8b7b7676a510f7155807faaea3b328cb9634e5d2e4eaecd4659b41
-
SHA512
6e639c165a2c9024b263c0fd519d820cb4e52c009feefc4fdab374b3fd1dc19a5f2b36274dc7ec6a0103369cd87217b55520fd23231f5a133cdb2172da2069eb
-
SSDEEP
12288:ZHLK1ONhwXDBCLlB0oNASrlBQvmDkIuoN2rEaHrFMhKQgDEA:ZHiONEBCLl+EASrk+4IzN2rRkOg
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
Bossu_56@@12345@_
Extracted
Protocol: ftp- Host:
ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
Bossu_56@@12345@_
Targets
-
-
Target
4c119a168b8b7b7676a510f7155807faaea3b328cb9634e5d2e4eaecd4659b41
-
Size
667KB
-
MD5
3f04764de9a6213bbe4be5ad91f05685
-
SHA1
01bc3f542fe8a03432298476d5ca8d42c3f60eb5
-
SHA256
4c119a168b8b7b7676a510f7155807faaea3b328cb9634e5d2e4eaecd4659b41
-
SHA512
6e639c165a2c9024b263c0fd519d820cb4e52c009feefc4fdab374b3fd1dc19a5f2b36274dc7ec6a0103369cd87217b55520fd23231f5a133cdb2172da2069eb
-
SSDEEP
12288:ZHLK1ONhwXDBCLlB0oNASrlBQvmDkIuoN2rEaHrFMhKQgDEA:ZHiONEBCLl+EASrk+4IzN2rRkOg
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-