General
-
Target
23052024_1327_22052024_JUSTIFICANTE DE PAGO1104.rar
-
Size
648KB
-
Sample
240523-qqmhjsdb48
-
MD5
12c3a0dbd2479e16a92bd175486406f7
-
SHA1
055cf38bfe8def1a4ab714832630aa092f3877b0
-
SHA256
cbb5e3dc2fb444b8647e1f0312e00cd7ed8a041b0ed5389391507294ef025f16
-
SHA512
62b9af4141a3d7053c007bc0aa8845c57a819e0ea0dce3591c68bd9c3fcdba161750cf8f53b485df978ed12bbc3d948963099b4005a561699f12b6ce93fc5e9f
-
SSDEEP
12288:Zewn1k8pi/WWRvUwt4Ori4C/c1M1h1qZqtnXhTIyNDAQBq5vVrEu02EsDK:ZB1odfi4CwYwZuXfNmJ0qO
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Targets
-
-
Target
JUSTIFICANTE DE PAGO1104.exe
-
Size
671KB
-
MD5
9bb3778ebbc426240ad6886ad159e721
-
SHA1
7c4c931aef0977233bebc3b8e1b0012c0c4e0b06
-
SHA256
9132607df09887bfe4d525bc748345d8a21d46a664faacaac4a6742f5ddf5e9f
-
SHA512
8b2228238d98a5f11ce918078617f5b6c5dc49d24da8a9f1ca8af617cc2740cf6fd5943a0edd60e25a5dfb0a1ad987b444cd05e6bc70fbe06e2385a9c4986511
-
SSDEEP
12288:RHMLuIEHV+1eVJNxKrhLXV6KDsdygVRqMm0ArO4WGGq/YpzNz8nJasBGT9BUk:wuv1rVJg9rN0830RNIdBGT9+k
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-