General
-
Target
cecb6db9d3e82cd3150ad7c144192e300bb86678ff4a8098d3e8723b50668541
-
Size
766KB
-
Sample
240426-ctjn6shc4y
-
MD5
1a90002a3504e10b40065d4e9a84fb74
-
SHA1
5f449ecaffc2e8097607bcb653c968b73472b37a
-
SHA256
cecb6db9d3e82cd3150ad7c144192e300bb86678ff4a8098d3e8723b50668541
-
SHA512
b2e81ed18947f24985771b7d3b89b5c7bae73c63d8552d2237bc6ad775d833d0e4b077c2e04b3822c98b7a299334b567ea0aa02abd9bbff4f214f6a132abc71a
-
SSDEEP
12288:CWYIPXjxannnHg2t6/zCSQ38syT2u0foDRfDiEvM4eTuxgOcCjzt6+Myv4sHck1L:CWYIPFannnHg2f383T2u80fzM6gOcSzo
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7018885263:AAHT8gfvHTY09mtqDC-rbN8-23c7akL5PN8/
Targets
-
-
Target
cecb6db9d3e82cd3150ad7c144192e300bb86678ff4a8098d3e8723b50668541
-
Size
766KB
-
MD5
1a90002a3504e10b40065d4e9a84fb74
-
SHA1
5f449ecaffc2e8097607bcb653c968b73472b37a
-
SHA256
cecb6db9d3e82cd3150ad7c144192e300bb86678ff4a8098d3e8723b50668541
-
SHA512
b2e81ed18947f24985771b7d3b89b5c7bae73c63d8552d2237bc6ad775d833d0e4b077c2e04b3822c98b7a299334b567ea0aa02abd9bbff4f214f6a132abc71a
-
SSDEEP
12288:CWYIPXjxannnHg2t6/zCSQ38syT2u0foDRfDiEvM4eTuxgOcCjzt6+Myv4sHck1L:CWYIPFannnHg2f383T2u80fzM6gOcSzo
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-