General
-
Target
b27cd1c4f56f7b6be843a33711d1b602.bin
-
Size
117KB
-
Sample
240425-cdg6eadd81
-
MD5
a9aba08f4cb9193f6e8264243fa3f54f
-
SHA1
465f4aba47a7d7c4f8b72d36d813beafe8e550d3
-
SHA256
7ec1fe14fb7987ef543e2e1a69f89f3203734a81681906e3082bd839fdc385af
-
SHA512
c8daae972b6658d967a0c32b43675939d8b6b45e8ba58a92b7fc3b908e6413b70dfca4eb159f9a2c01735f6ec1933cc43a860d87c573fc7809c3ccf56724e8dc
-
SSDEEP
3072:QcsoIQXDiV1cxvgdIJg1g3In4KK3cxg2MgD:0oIIY1MKd1mIn4KKkg25D
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
2ogFj^8ECV(?
Targets
-
-
Target
CR-FEDEX_TN-775720741041.vbs
-
Size
229KB
-
MD5
337a01a2cdc2ce2af2292b25005b2ae9
-
SHA1
ccf44f87fdb19956aaad1b12895de16bb0c0a0f4
-
SHA256
3fe507970779d2d32f1b4083e87417da3fb7b026b3caf42e6b61ec2a9150a30f
-
SHA512
6b3b6bd69cfbf831ce873c2876ea09802de3927acd59d9c257b2cc58f08eeb5283f477e979341967c5e71e6e9a73fcb40636d58fbbf5ed5b7ec5ce981606ae80
-
SSDEEP
6144:JjvimEeg2kae621pGqbWt0JPvk+r+usYBbnPZnqtFVyNLFViFHV/O3CLpzTE8pGH:JiWqv6uVKlGH
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-