General
-
Target
123048aa21e51aea3706e8e7ed3f2567523f83039901afbea0e94aee8b27229a
-
Size
683KB
-
Sample
240521-b3fs7sea79
-
MD5
32f627e7366748dca9bbb2908177261d
-
SHA1
30fdd73783ddd1d7240583c45009e395483fdea0
-
SHA256
123048aa21e51aea3706e8e7ed3f2567523f83039901afbea0e94aee8b27229a
-
SHA512
9ff4b18144523abe4f716082a0d03052126d29098058e4ec2f0be735df829f9e02c120b8ebbea2ebc118efbcf430b3e649a8ab5a59fd1328da5758ca5b46b470
-
SSDEEP
12288:jCuWe1J5O403gPnW2XpGz8kJn++FB4WPrxOpNAqNV8e+7CuB4P/kzH:j/Lx03gPn7XI8ytDPNaTR+7CutD
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.oceanskylogistics.in - Port:
587 - Username:
[email protected] - Password:
Shipping@224554 - Email To:
[email protected]
Targets
-
-
Target
NEW SIGNED CONTRACT SHIPPINGS DOCS.exe
-
Size
757KB
-
MD5
1e68c8a1bd1803332029ee35e3c1c5d2
-
SHA1
3debfb4cf61afc49a7069e79eb37d28af5bea1df
-
SHA256
6acc7e95d7e83817a3109bfbeb8a6759bb056431a696a5171e820ceb982917e0
-
SHA512
30b518de6ecb9550cd8fb362a60104d213d17ff2b2cc6afbffd516dac74d578e79feb6ba9e5788d586550a2fd3e222b822927dbb22e1a9c0cbb4dd15e9b5e607
-
SSDEEP
12288:+ISWET/mr9K+22BEEzFatnVP9W25pozUmbl++XB4+PRxOdNyqNVw4e70PcJWJu:iWtb3BEbP975qUmXNPPIJre7T
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-