General
-
Target
b1969e370f6e1b45c7c94605b4d195c1291b517edefb41f914523b2846bcd1c6
-
Size
481KB
-
Sample
240426-bhwzpagg47
-
MD5
4a02c23ee6fbc8d543dcfad1b906b71e
-
SHA1
cda61f03303d4c02dedcef6fbf5ec0b0027eb241
-
SHA256
b1969e370f6e1b45c7c94605b4d195c1291b517edefb41f914523b2846bcd1c6
-
SHA512
daf12120889c2ff2a4ea71e226625e57667a82be75fc1235473edce41282ee1fb44baafec5fc5cdaaed80f909398a691e20f8f3bc70e50a2079f2ac29e6b000f
-
SSDEEP
12288:Z5GSxik5mg0KexDk+byvXaA9Nsk9p/xvQeOuJ24Fjidn:nVik5R0KuuPaA9Pn5IP4c
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.vila-gabriel.ro - Port:
21 - Username:
[email protected] - Password:
bVkMH6R.pfF~NN@ossy$W!_pz[bh!9l(MU%UtX9L^W}vO=mn*g*;]}]
Extracted
Protocol: ftp- Host:
ftp.vila-gabriel.ro - Port:
21 - Username:
[email protected] - Password:
bVkMH6R.pfF~NN@ossy$W!_pz[bh!9l(MU%UtX9L^W}vO=mn*g*;]}]
Targets
-
-
Target
PROJECT.exe
-
Size
780KB
-
MD5
977177ff7930860f4f208ebe1fc68675
-
SHA1
44712ca7daad4e129d83ff0e9451643fe4605a90
-
SHA256
029a6006153d100f8f27e550b7f682e49d4c3aa52b80039d5f06e8abd4d398be
-
SHA512
347d50576b78e08ea0931467dd6d1acdb6e63dd0fc7f1f3718bf6cb8ddc023fefdfcc619682816c1ba835e377dad4162a24dc34e22e17de53118a4190c9b2e71
-
SSDEEP
12288:6I+5G8cPtP8sdE0rm1OkKCJLc/Y9ysnqY0Fsiu0NQMlmNnT/RpXAlTnkw7BjZ5QY:c8P8sVrKOkrggWFsfTJpwlTkm/Q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-