General
-
Target
f927f2ce41569d1d2c5a576d93374ace_JaffaCakes118
-
Size
863KB
-
Sample
240419-bd3axabh83
-
MD5
f927f2ce41569d1d2c5a576d93374ace
-
SHA1
1493b82cd46be1ef2fb45bc12c432d0bcf175a90
-
SHA256
1e3432a2d3072ee5958b26e15d97ca1f6734c3522e701682b237544f5eb66645
-
SHA512
38683269641058931c9f33aa3ea817ecbd1ce66afb353f4e85be3ef19af494016ec81cbbf63d269737a07a9f6a0f2feda5044183bf0f53d576740b9fce88dcff
-
SSDEEP
12288:w1cfM/nlPljFQnV40j1yxdTw+MSOVtki1Nv0IeGN+grplH6eUNFje1jwt2NjFoO4:w1Fnl9jFQGdwlOeNv0IIgrXccjwMNjR
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.ifyportal.msratnigbureau.com/ - Port:
21 - Username:
forbes@ifyportal.msratnigbureau.com - Password:
Ci=q&_lH#LWf
Targets
-
-
Target
f927f2ce41569d1d2c5a576d93374ace_JaffaCakes118
-
Size
863KB
-
MD5
f927f2ce41569d1d2c5a576d93374ace
-
SHA1
1493b82cd46be1ef2fb45bc12c432d0bcf175a90
-
SHA256
1e3432a2d3072ee5958b26e15d97ca1f6734c3522e701682b237544f5eb66645
-
SHA512
38683269641058931c9f33aa3ea817ecbd1ce66afb353f4e85be3ef19af494016ec81cbbf63d269737a07a9f6a0f2feda5044183bf0f53d576740b9fce88dcff
-
SSDEEP
12288:w1cfM/nlPljFQnV40j1yxdTw+MSOVtki1Nv0IeGN+grplH6eUNFje1jwt2NjFoO4:w1Fnl9jFQGdwlOeNv0IIgrXccjwMNjR
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-