General
-
Target
4286e12a3e24d185addc75eaccc631a0_JaffaCakes118
-
Size
229KB
-
Sample
240514-w89npaad51
-
MD5
4286e12a3e24d185addc75eaccc631a0
-
SHA1
26276a65997ab3ce53de4bd9ab67cdfde3ab2881
-
SHA256
7e5808daa972d856696cec4f73eb47f9ad1138631d8b3bf8db3869c7781aa29b
-
SHA512
a54a2f1a70d1c42439c7b659fe89ab92eab45c81f87cad6d5e11140ebcdfa4acd4a36cc70c370726c41a733f28c857511b6b1b4bb9acb4d4864a5955efa3f5db
-
SSDEEP
6144:/bXaJcwKINhUTSUhb5NTyv4SPYPsPCjjmkMYUCEJCq2Ye:/bScwKDSinWv3gPsqjj8zLJpe
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
77.83.117.234 - Port:
587 - Username:
[email protected] - Password:
J3fP8xWq
Targets
-
-
Target
Qoutation for April and Company Profile_PDF.exe
-
Size
361KB
-
MD5
9c7be5184e4791e825515ab678da3d13
-
SHA1
22fc60df7bf113fb67f349f2f23243bdc75cea19
-
SHA256
ccf82f0f1e542d73385df3b68f7e9fdcae3d9e2a091ea879602ba287b0199203
-
SHA512
8a67c3c0518f259fa131b44f99a5b3e1e6ffd0b8dd5bf93ab793084ed1b6cd81c9074591666e182b7ca7bf328b9051b045c54a0e4ceee9a2703804086c6bef45
-
SSDEEP
6144:Ykkwncv0EkiluaTKtjsauEjGUajqCp7GMiQGtCd8CuLmRcCV/LIRDALNXvz:YkkPcoZWhRjGZV74tCd8CuLmRjEZA
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-