General
-
Target
b8c675d511021c319d33dad7518dbb91cccf6530c2494ff383e4dc55bb836b7a
-
Size
1.2MB
-
Sample
240523-bvvx6age9w
-
MD5
d2073afe212c3a89ce82088c155ca410
-
SHA1
28e26d2c42502f3b214119f5ae584a1bd07e5c4a
-
SHA256
b8c675d511021c319d33dad7518dbb91cccf6530c2494ff383e4dc55bb836b7a
-
SHA512
5daab1929affae9ddff9c569a2c348447b8e3f8e535bf065db8279fce24a7ca9179dd998f911bc338f641a581b3fa7b1bafc13dc9f5a5d568a8f0bfcbaa541e4
-
SSDEEP
768:fZDpDj/nau11+B1Z9wg4MYVctOi3FaKMUXF1x2ySCtk7PHqAk:fxpvnaK1+ZWg4MYVcAKMUX/x26qHVk
Malware Config
Extracted
Protocol: smtp- Host:
mail.dentallink.com.uy - Port:
587 - Username:
[email protected] - Password:
Salvador3274
Extracted
agenttesla
Protocol: smtp- Host:
mail.dentallink.com.uy - Port:
587 - Username:
[email protected] - Password:
Salvador3274 - Email To:
[email protected]
Targets
-
-
Target
BBVA__Aviso_de_Pago_pdf.pif
-
Size
46KB
-
MD5
c34b58d960ea87eec970a9333c7f9292
-
SHA1
ca23b1d2418edc91a2a49968738ce09a6f7bbfc6
-
SHA256
8b3aa60f494833274c18171586730f2f4650a0c8c2de4cd901d853948b6f1fce
-
SHA512
e1dc12741f2448059aeb99be1f6e0df91bb4ee655b3be892ecc027842e78c39b3388cb5748dbac8b56f8ad245312194159522619b26c6775f558b72245c64aab
-
SSDEEP
768:LDpDj/nau11+B1Z9wg4MYVctOi3FaKMUXF1x2ySCtk7PHqAk:HpvnaK1+ZWg4MYVcAKMUX/x26qHVk
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-