General
-
Target
98bded3ea5f2a4eb6aea347e803829c41aa6158301f3d2a93f079b0ddd11763c
-
Size
642KB
-
Sample
240522-ce27zagh9t
-
MD5
e78ab77fc5817eff913890d7f1a64ffc
-
SHA1
18e9f2afbd857778d57285a01214dfd9add578c9
-
SHA256
98bded3ea5f2a4eb6aea347e803829c41aa6158301f3d2a93f079b0ddd11763c
-
SHA512
038906b8ae3b52d8e20bb560153b458d04f2076fbeee4c12b141abb6c09acb8e9cea3c32d41b1c4e80b04a9777a0ff318684fa566cfa0ee0ebedc853566274b8
-
SSDEEP
12288:444BzifTlJiACWMq0iHiTQm2loWK/PpfCB949tOXOk+0oIcm/HI6DqHc7n96xswx:4dixvMq0CiUm2itZCB9498XOk+ycAI9T
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.transafricamotors.com - Port:
587 - Username:
[email protected] - Password:
emails@tam - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.transafricamotors.com - Port:
587 - Username:
[email protected] - Password:
emails@tam
Targets
-
-
Target
Hesaphareketi-01.exe
-
Size
667KB
-
MD5
4d995589ec9e1d1a8e19d32d98efc96c
-
SHA1
8002212c298d2134cad9baa36408eb047365a8b8
-
SHA256
61aafd66296c729a040234cb1424f78bd852c3b5e59bd5df3066ca135f2d970c
-
SHA512
fae89c5d33425fb6c248b601fd44b85eb473aa783aa400676b103ba80c7c2a2bba459eee45aabd33de8ce6da947aed9acf81cc7f59c59760f4c28fd105731bd6
-
SSDEEP
12288:wVYifTolSYAmWMquiHgTQZGJS9JkaX0ULxvlk+00IcA/HI6Dqpc7Itbv:TiySbMquCgUE6JgULxvlk+kcuI9m7e
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-