General
-
Target
5f38a5d998151dfc609430ec7178de5083298f7ecd6b259d303546ff9a7b6b4e
-
Size
263KB
-
Sample
240523-cdckxshg55
-
MD5
46bb1520ff9facd894a5fa0b74978c4d
-
SHA1
5a1b81937909e88eeae4ebacd2402831880fa3a4
-
SHA256
5f38a5d998151dfc609430ec7178de5083298f7ecd6b259d303546ff9a7b6b4e
-
SHA512
4ef0d10359c9d37e8905515d9874d0c259db17a7bc414adb61aa93547ed33a485375fc67f5d8175ec878b393aa806ee5a96c2cd84ad0afb8e04dce592bd667ea
-
SSDEEP
6144:poTaPY32GquQ/tviX9MNj0gVOHQfA/VbVEXT+ccpcWjL/NKFAPuhG:pouU2GpX9woeNfAdeS2eLFaAPuY
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7078346326:AAGX1CDPoWJfjkrOoEPVVRU8q_dn7nh6dRU/
Targets
-
-
Target
Shipping Documents POV2405023/Shipping Documents POV2405023.xlsx.exe
-
Size
371KB
-
MD5
d94f324b3483803d84eeba84f631ff39
-
SHA1
347ee79e6a0b1c5151d94a2492bea9281d0eae01
-
SHA256
5795f7ad5151237b31b31a6c35f05cc84795d215a8cf5483f088a986f8d97447
-
SHA512
07167cc578a71a000cbe5b4fc778acf130dde1d063f4c425aa6cdbc7ac6c4257ba1c378abdea3f4d8a7555aa0894241f66da1ddde790ece8d4f578515136b4e5
-
SSDEEP
6144:rtJigmu6zKJXHkNk29y1yfDME9L0I/HKq6AlclSCIm5chd9ocC7e5I1BA:vigmpzKJXHz2U1yV0ICq6scI7C7GX
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-