General
-
Target
07411d6805fe9e46d141d5205fbbfdf1_JaffaCakes118
-
Size
452KB
-
Sample
240429-kl1xgsee62
-
MD5
07411d6805fe9e46d141d5205fbbfdf1
-
SHA1
a23e503dc844804d7746d8251d54a5a37e0e3599
-
SHA256
b417b1a5df3492af25ee7374f14aa09bfe597aafcafa3fc686b4b5a95eb5d138
-
SHA512
2e5f54781e86df954f0a754673ecdf9fd8d5a685d423940139aee6d63bc6d25a6d2ea19a2545212741f15a3d0a834b098b42cd3b7e1a2c8750812c5ed073ac38
-
SSDEEP
12288:9jbCsOLqBLbEteUCHL0ODT5tEBePFjQ5W6plLExYuh:9SPqCsUoBmePe5drLqh
Malware Config
Targets
-
-
Target
PurchaseOrder-930.exe
-
Size
1.1MB
-
MD5
4ea6d320b6dde091d08c301087657734
-
SHA1
3b86206d268a1a8b6673fb0bed66afda02b7729a
-
SHA256
1258e5297f23f201da4306099ea5c86f6294245cdf7f851bc1f921b5274558cb
-
SHA512
b4fecde458e4a05fe7edb43bd0fdac6392471cf9297ad1f36d866a085c948aeeb30ff6d6a1ee48a646d9cab13b3bd3c474895480f699c61b37f2fce846089995
-
SSDEEP
12288:No645lDh7VQquRMDYXO+rWJEUnob9JXJVy9X8qU2/0VRe3k/2gqlRy45R:No68E7rWJxn4JZYFUZReUugqC45R
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-