General
-
Target
1a439c0c2fd8af553b956b85987445c962d225fa8f5598244be82a13d0b56829.bin
-
Size
773KB
-
Sample
240522-w3j6vabh7v
-
MD5
3d78992311b65f1f2d7ab5e128a16f2f
-
SHA1
bf873ba4e23cdadd09a1296bdb20f774b00cdb63
-
SHA256
1a439c0c2fd8af553b956b85987445c962d225fa8f5598244be82a13d0b56829
-
SHA512
d86a9a2958068989c9c676a9ae78ac672d8fe36c672b01fe01ac206f9cfe2adbede72fabba022e1ceadc71c68abaf85182b481af0169ba2701d2cfe233abd9fb
-
SSDEEP
24576:Ejy9mPVGIJssMcEVnqyCG0XhlnwvTuJNdEuiHQ:EumVgscEyCGQIul8Q
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Extracted
Protocol: ftp- Host:
beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Targets
-
-
Target
Paraskevi Lisa _Ship-Particulars.pdf.scr
-
Size
832KB
-
MD5
6f3669432b7c19215721c83a2ac6e657
-
SHA1
b892abe515c7679b15395187009e4f0438cf8aa3
-
SHA256
3460355ed7f15c26f882ae59f5d4bf95ce3b6cc3527bc6b64ecbfd86e139956e
-
SHA512
d0f85480484958e5c41f842e81c27abaf0bcf2930c283cc83aca46a63393000f39dcdcb1390e651353c8310f95f262c6792e2fd6c797589b2cd006e13cad6825
-
SSDEEP
12288:N0x504bFtx504bFWx+Fy/c/Lr/kKJD14HYLSPr1XtJv2ZUtliSjURn37Z:Kw4bjw4b7BnkTHYLkDv2ZUtlia87
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-