General
-
Target
Documents for shipping.zip
-
Size
625KB
-
Sample
240417-pgj6dsed82
-
MD5
9488d6b411539fd82b92b476589ab31e
-
SHA1
d7c89be195f61a5e839fe2b18a6973bdbe1b6a07
-
SHA256
c6eddb234b3f2f3d99a2f2080e416020fac1fdf124dab907606cceade3f8081a
-
SHA512
419b989d323a7e6cb897361deac0206b23a6d79636032055140f5d19b3e7b850cd3ebc9de3f540bb411614f5281e038724930e8f82bdf6032212e4648dd19279
-
SSDEEP
12288:XFNJyfv7NtUuOL6k1qgx5a3duQ2GnsWzUxlqq4eRIb2Om:0t5OIIA3bn3eqnUz
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tabcoeng.ir - Port:
587 - Username:
[email protected] - Password:
Jh2cWb0NSjC{ - Email To:
[email protected]
Targets
-
-
Target
Documents for shipping.exe
-
Size
645KB
-
MD5
9efe3a01db7c6a78d6cce5db681d2422
-
SHA1
43e9c09b989b86dfd869210c8adf75fd2ab67d17
-
SHA256
d0539e8f11cef371e3eaea5818978eb76f401db9a17c388a9459c41b96ea20b2
-
SHA512
0b328a177a666a0c48cf3e301279ab24480137dbec00fdd0f1f2f8315114f6f3660c5b5d1fd1385e5e580b84382b38579971601d412c0ceb9d301b712fd2ab74
-
SSDEEP
12288:gmg8ytvWnONCkDyOr5alduQkGrsEz6Liy+l2cWjoI:6hOnO0SAlNr/xy+lrA
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-