General
-
Target
eda9c0f50d134a2f685620507542d877_JaffaCakes118
-
Size
788KB
-
Sample
240411-r3lmfsgg4w
-
MD5
eda9c0f50d134a2f685620507542d877
-
SHA1
f828dc5d314ecd84505af09935de8a46e49fb869
-
SHA256
003ecbee9386ab26c2d614ab61f60b13cf32c1551aa9efc0f6bd455421327fe4
-
SHA512
53c3500e2b113ef27d18cb23cd058983973a9c7e5d3f6c1853d4b88c2d74dbc6b97e8b08780d1046141433f0151c05004b4db17c9ddeb44182cfd777fc3a44b8
-
SSDEEP
12288:e4ZZvOqQ/h9mBdaBh1HzcU+BVAH6No/lqSPuCKDbm0B9SJ/sneBLwBV7dxW0Ri9L:fZZvOqQ/h9mBEX1HzTcVAHqo9qSPwsL
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.rosaritoindustries.com - Port:
587 - Username:
[email protected] - Password:
aircondivision2019
Targets
-
-
Target
eda9c0f50d134a2f685620507542d877_JaffaCakes118
-
Size
788KB
-
MD5
eda9c0f50d134a2f685620507542d877
-
SHA1
f828dc5d314ecd84505af09935de8a46e49fb869
-
SHA256
003ecbee9386ab26c2d614ab61f60b13cf32c1551aa9efc0f6bd455421327fe4
-
SHA512
53c3500e2b113ef27d18cb23cd058983973a9c7e5d3f6c1853d4b88c2d74dbc6b97e8b08780d1046141433f0151c05004b4db17c9ddeb44182cfd777fc3a44b8
-
SSDEEP
12288:e4ZZvOqQ/h9mBdaBh1HzcU+BVAH6No/lqSPuCKDbm0B9SJ/sneBLwBV7dxW0Ri9L:fZZvOqQ/h9mBEX1HzTcVAHqo9qSPwsL
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-