General
-
Target
1b8fa4375102f3f52cd1b6ea49d5c6bfff86e1fcbc1667636f8c0dc4a32521b3
-
Size
635KB
-
Sample
240529-cemghsea4s
-
MD5
a5b68081f0ac7cbada18a3e26440558d
-
SHA1
cc46e57faf91e207b9705dc09cef9d41ed02e039
-
SHA256
1b8fa4375102f3f52cd1b6ea49d5c6bfff86e1fcbc1667636f8c0dc4a32521b3
-
SHA512
214295a61a35344ae2f35dc26eed0ddaf03ba7d433183fe6dd87397728fe230047b53c2fa7aa3d6bd3b3f90ab7b8c6a7f1e0808ef9b15f6fc54e32755caa9e74
-
SSDEEP
12288:dQ6cZhfqnQ2HJCC3tE2irgdnCkPTSyQD6FVO5bngYExXeBosl/:siQQJCsE2i0AJeFVONoZIosl/
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.saleo-gomel.by - Port:
587 - Username:
[email protected] - Password:
Q_gidroadmin_2014 - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.saleo-gomel.by - Port:
587 - Username:
[email protected] - Password:
Q_gidroadmin_2014
Targets
-
-
Target
Payment Advice.exe
-
Size
666KB
-
MD5
8d68173d3c5eebeefdaafba67c7c19b8
-
SHA1
3d27bc4c53f8fd37a63689b28fadded6d5184fcd
-
SHA256
4b8bb0274ffd64b2651117baf7cde1e47f3ff8b131dbe2e36543f8405719182c
-
SHA512
4f9efef40cebf3a473396528601a6b8a2a28025a511603547d9028a579d23b688ebb1910663af0b31d2ef34ab3608ecb1606150339c407df61ef760eaf567327
-
SSDEEP
12288:HKcRV/xFfqy3QCzdwptIgdxCkPMWTUQd6FLyiyg5bDg4PG7tTiHfHl/:Yy3fzObK9FLyZgVrPG7w/
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-