General
-
Target
188031MES_S Quote_1.rar
-
Size
559KB
-
Sample
240429-mg376agc94
-
MD5
03f38e5b94f9e9df203888f31185f5ee
-
SHA1
d27ea0d01165e1363824d67d51d70ac5e56765ca
-
SHA256
0aab9f084cedfcdf18dbfe477fee6446ac489d20fb6e055bbabcc3bc67e63043
-
SHA512
6d13bd63e0070749369e86fc40ef9509c886008dfe0332433d1652d5b996fb57e63b7b7423ac5ed31ea790ca56c85612cf8de3264b240c4a9b971e10ec7db906
-
SSDEEP
12288:AN/IbfOUol3vx8JmMHr+RVQOuKMA3vZ9z3Zv1lq/FIaTE:A9Ibel3vx840ebuEZV3Z1lH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mbarieservicesltd.com - Port:
587 - Username:
[email protected] - Password:
*o9H+18Q4%;M - Email To:
[email protected]
Targets
-
-
Target
188031MES_S Quote.exe
-
Size
581KB
-
MD5
3eea1594e18c22765ffaa81a547c2f61
-
SHA1
dbad219d5fa4c3e1dbda63f73d6de0d951ebd5cb
-
SHA256
25a1241fa5efb1cedca9c984dce1f39ff7452b18e33b2368cdc830b7abbe3ea6
-
SHA512
5a4e637829b362e1db5723a47d99c41eee143faa61054aa7b4c086d107a7c90132f85565aa8110516e7b3bc60aca82701a17cd640a0fb31b05c6fb2835cba86b
-
SSDEEP
12288:sSwB778QsjYmRQ0vKviVYh3oyMwU2+WvtlO+GjNQ34b:JwBjmxCV3oyMwU2+WV8lxS4b
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-