General
-
Target
af245c8f5302901a6e873b880184fd14.bin
-
Size
710KB
-
Sample
240428-b7qh7sdh2w
-
MD5
aed26fdbe860f5b8c06164c656435382
-
SHA1
435b5a414d60fb2442696d0cf56531a622966644
-
SHA256
c94f7be936c30ac830483a8a129cce57e06c467aa07fd1ab1d618c3d5b8bb552
-
SHA512
4295e7be89e8c2b289275c7f0dda690f34b9228c482a44551c0a1f9bc58f64e927b0b7f47c63e8cfa125fb6054986fd3ec0ff8fd77b391a2db9f06740ab9111e
-
SSDEEP
12288:ekIRL0lzrGg54w1WSzSNJIFO5QYF6sRfCiro1YRijan+ZlPXkpOC+0Enw0mxy0sU:edRL05xpkSs0+xfpro2Rimn+nX+OCCw3
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.wapination.net - Port:
21 - Username:
[email protected] - Password:
sync@#1235
Extracted
Protocol: ftp- Host:
ftp.wapination.net - Port:
21 - Username:
[email protected] - Password:
sync@#1235
Targets
-
-
Target
Purchase Order items_pdf.scr
-
Size
768KB
-
MD5
4895ce225ebd6e1a8d1fca5d2b9cb9a9
-
SHA1
dee3c9200db88bd61653893678a83669df14761c
-
SHA256
40858de71414dce51754cc1d1098a9573e23d346c016d86e5a0492a82cb06a14
-
SHA512
8065f45b3ba63ec25a871b4f95d3934388e2be5b2907ab82791856882d021df490d06437b3d739296004138e80d5ee2c17e296f77ec5f2fecbaa76490b4812fe
-
SSDEEP
12288:AF2iN3MibrvsyZlZRkXN6wjp3Og9iUGtuPsfvBK1SDOQS6lv312Z3:AF1lfvs2Re6AZoU6BfvVDOQS6J312Z
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-