General
-
Target
fa7d4cb090b31cd342f71d47cd10611b_JaffaCakes118
-
Size
717KB
-
Sample
240419-rn7w5see83
-
MD5
fa7d4cb090b31cd342f71d47cd10611b
-
SHA1
17e6a47cca7bd89afeb09b6ddb9f7498ff82e09f
-
SHA256
2ccebd1dd2000856f9aa8ef98853f7ead9a30857e615e094aa2079cdddd1252e
-
SHA512
816db1b7819daa795628edb0d5e8ae14b58667e974aa631b7b16cc9180b35e5adb5d883c7c0b305b4f810305b60d6783340a03e0d5a4c1f626445bf6081adee1
-
SSDEEP
12288:C4foh08OGQu/LXqJFTPGzSQsvc+mo+rTjOWFPsGpIegZxbdcYwrFQMvIKB5v0c/O:C4nnGQO7qazltRu3bdhR
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.grodno.by - Port:
587 - Username:
[email protected] - Password:
9qd8$2NonPD
Targets
-
-
Target
fa7d4cb090b31cd342f71d47cd10611b_JaffaCakes118
-
Size
717KB
-
MD5
fa7d4cb090b31cd342f71d47cd10611b
-
SHA1
17e6a47cca7bd89afeb09b6ddb9f7498ff82e09f
-
SHA256
2ccebd1dd2000856f9aa8ef98853f7ead9a30857e615e094aa2079cdddd1252e
-
SHA512
816db1b7819daa795628edb0d5e8ae14b58667e974aa631b7b16cc9180b35e5adb5d883c7c0b305b4f810305b60d6783340a03e0d5a4c1f626445bf6081adee1
-
SSDEEP
12288:C4foh08OGQu/LXqJFTPGzSQsvc+mo+rTjOWFPsGpIegZxbdcYwrFQMvIKB5v0c/O:C4nnGQO7qazltRu3bdhR
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-