General
-
Target
MVGUO QIANG 8-PSGSIN082096.xls.lzh
-
Size
626KB
-
Sample
240523-fsw5naeg42
-
MD5
c8a307e64174155b73e38862932e133b
-
SHA1
52acb94a225b9641674d96501e05614bb32f5e1a
-
SHA256
7c10b178cee543927b900ceb7f27a96dbd96172254fe659ce22d2e2b024e5c4d
-
SHA512
80e3bad52c7fe2a04d5e1c62a81d1a4d56f59fb4195bdf7e0ac40bbace62b3d4afaa205aca59c0cd62a94e64209473e0882f03e416814ec73d58f87d9562906b
-
SSDEEP
12288:oQPXzTuNcSifbRJN/gXPZKfpi0So4LDaumh1FECZhNUFAf2sEN3wM62ZuT0nl:HeNs71UPArp4Xmh1FECiihEN3Pugl
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Extracted
Protocol: ftp- Host:
beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Targets
-
-
Target
MVGUO QIANG 8-PSGSIN082096.xls.scr
-
Size
886KB
-
MD5
deffa6528aa8ecf6e6f581ee41953497
-
SHA1
acabd0b4f33c676e5152dacd0797a06c23bb98a4
-
SHA256
bf5514d335e4930fc83a96c80379f37a04c3d7db5ce541de244f0a6dc0116a29
-
SHA512
182b82c793b55b8737edd81a66f854b965d116e964c62de5b0b3b594774037aa99f8a21adc42cb1ff63e157c5a7bc44b799b28425acba63d7ff3454ac8546b3b
-
SSDEEP
12288:/8vNAZt4fQ+foATEJyFkUtbrAllCHEhEFcu2WAPy:/8lkt4fzfhtkNfCoEuu2z
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-