General
-
Target
0ac1fd14f91e1a8ba33c20c745227a42.bin
-
Size
627KB
-
Sample
240425-bc51eace47
-
MD5
41dfa863871029a8f713c36e28157b47
-
SHA1
045a0c556de8799d82bb46d2bb864c7c57a13eff
-
SHA256
bb8ca12669d9d1f0a8279d866a94575d7574650c5febe65fbb99f9da7819a401
-
SHA512
9b2d7f26e0b29c5db07102f1ed7fd74d604e9b23495e4600ccbbb3d555e11c7e0314e7fe2f0be1e46fd8713774f05d3f35703010d7e20439e2e04884ff09c516
-
SSDEEP
12288:d1Ca+KNmH6uXhhwIPiVKJzp8QkHYw3bhp46tpw/+/pOwdL:d5+KNmHL9SKBGQwYey6rw/+/pOC
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dzkraljevo.co.rs - Port:
587 - Username:
[email protected] - Password:
dz@kv123 - Email To:
[email protected]
Targets
-
-
Target
80c8ee15f76183a9f93327c7eb3e40a384ea744602aa14c2a2b4bc2476c11010.exe
-
Size
824KB
-
MD5
0ac1fd14f91e1a8ba33c20c745227a42
-
SHA1
02ef317af2f717ef2a66a291a65b4ce413c57288
-
SHA256
80c8ee15f76183a9f93327c7eb3e40a384ea744602aa14c2a2b4bc2476c11010
-
SHA512
0e8531f43cd746ac2c2cab9d1d7852d531401ae4cef9f7c38a5975e3fa1a68d95d4d06b9ecc079a41e7e6e8c739d7e6b4314c82d3a088fc324a493be62e21499
-
SSDEEP
12288:6ZCLTMHf/pE+PBC3J4ysPPkazp2BuEJrRNEcJwkgKGTcf:6ZKMHJE+Po3JhUp0uEJrR3WkgI
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-