General
-
Target
checklist.7z
-
Size
301KB
-
Sample
240523-thcvxsgf62
-
MD5
4bc063b598b0ffef09e38d7a3680f9f0
-
SHA1
78bfc209c845543e952a82dbbd6538efae5ca3fb
-
SHA256
dd1077fffd212f1e8d1515a98ef66393a84064553bb9556a7a577f3fc6fefb3c
-
SHA512
0c769ef4eb59c19576160c997d0bbd1a7ef5ee3cbcc2ae5283bad2ba1c71cdf8fb006004a0b56e0193cb3fbef769967e6a5e67a8c0303ecba406ad02a43e2bab
-
SSDEEP
6144:PERva6GZBtXZ7L5wAzT1GlwpbPtK/JBoxqerNvkzegl1ZeUz3ses:PnBZ7qAzTQwnoBoxqe5vS7l1Zf3ps
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.iaa-airferight.com - Port:
587 - Username:
[email protected] - Password:
webmaster - Email To:
[email protected]
Targets
-
-
Target
checklist.exe
-
Size
498KB
-
MD5
f53753567d26f08858674d27c2222e8d
-
SHA1
06f8efd5a96b625d8966df80ee3b8f76fb3d4b0e
-
SHA256
5eecdaf0426291c6db36cc79cba590e61248a5364197d82228da2074a7fa3bba
-
SHA512
900b1d005e1c5ad4ad9980af5ec495c009e2a32200fd0190e56746796acac4e68f66d55a030395c938b387eaee9c34a490194ae6bc2bca4e1e4b265a46192bb2
-
SSDEEP
12288:imo2oiXB/6DuKf8I6niPW/Q5f7rzYP7r9r/+pppppppppppppppppppppppppppv:73XlnKf8Uayo1q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-