General
-
Target
c0f72ab29ef52bcaec56b606ebd53b6e19f8ea5d36a071e7985ba77f0ebd95b2
-
Size
245KB
-
Sample
240514-b3nttaef62
-
MD5
4e59411c1f579d35eaf5cb4582445d0b
-
SHA1
e0f726787f161090f05057dd26263b02c652fcee
-
SHA256
c0f72ab29ef52bcaec56b606ebd53b6e19f8ea5d36a071e7985ba77f0ebd95b2
-
SHA512
19dde11d4f1c2ac75e85fdda9e7eef24e89f73eacf9314adf5533f533a79ef45de856f08d04e580c42a5e29484a3eee2d77b69bd5592b08ee7a4a7be926ad065
-
SSDEEP
3072:np6d0SCBM+0sr5h5gVBqHWniEHcsQh6WdNUhjVI8l+X1845b46DsFG+if:0H8512UfnUI1jtf
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1263338506:AAEo1afaqZcanZqwKGJF2HA7xr6YOHyXHtU/
Targets
-
-
Target
c0f72ab29ef52bcaec56b606ebd53b6e19f8ea5d36a071e7985ba77f0ebd95b2
-
Size
245KB
-
MD5
4e59411c1f579d35eaf5cb4582445d0b
-
SHA1
e0f726787f161090f05057dd26263b02c652fcee
-
SHA256
c0f72ab29ef52bcaec56b606ebd53b6e19f8ea5d36a071e7985ba77f0ebd95b2
-
SHA512
19dde11d4f1c2ac75e85fdda9e7eef24e89f73eacf9314adf5533f533a79ef45de856f08d04e580c42a5e29484a3eee2d77b69bd5592b08ee7a4a7be926ad065
-
SSDEEP
3072:np6d0SCBM+0sr5h5gVBqHWniEHcsQh6WdNUhjVI8l+X1845b46DsFG+if:0H8512UfnUI1jtf
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-