General
-
Target
swift copy.exe
-
Size
747KB
-
Sample
240507-ptxx1sae98
-
MD5
1a7e4d9265e8f744c0c62544bf1ea468
-
SHA1
5264bf1744a1c5458f4c4b9227c8d75fde8c0055
-
SHA256
3ba0d394c1cbc83eadb19d11c4f9bd2d831013ccae6f325eed11e18dfccd22f8
-
SHA512
ac026f8e676082a40def69cbf5b2e7694203d90f10faec258c42289a92e47da7d4ce6aaf2d631b7fb259a0cd6dc198143b62a28d9516d6e3584a8f97c35f060b
-
SSDEEP
12288:7hk2iNT/SHVs2FPB7O15xEBU1UajQZM5svMcZf49UnwR8OS58qCMzTqTp23Xgdrg:7C1cHai7c3mEcB49MwRBa8pMHqTCXg1a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.static-company.com - Port:
587 - Username:
[email protected] - Password:
stateng33r - Email To:
[email protected]
Targets
-
-
Target
swift copy.exe
-
Size
747KB
-
MD5
1a7e4d9265e8f744c0c62544bf1ea468
-
SHA1
5264bf1744a1c5458f4c4b9227c8d75fde8c0055
-
SHA256
3ba0d394c1cbc83eadb19d11c4f9bd2d831013ccae6f325eed11e18dfccd22f8
-
SHA512
ac026f8e676082a40def69cbf5b2e7694203d90f10faec258c42289a92e47da7d4ce6aaf2d631b7fb259a0cd6dc198143b62a28d9516d6e3584a8f97c35f060b
-
SSDEEP
12288:7hk2iNT/SHVs2FPB7O15xEBU1UajQZM5svMcZf49UnwR8OS58qCMzTqTp23Xgdrg:7C1cHai7c3mEcB49MwRBa8pMHqTCXg1a
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-