General
-
Target
898de00a5dea8ae9e5952eb030212be6a71aed5fab785cbf76837afeb3ecc0d3
-
Size
2.4MB
-
Sample
240531-b9ymlaah3v
-
MD5
36e4a9266cb8ec933e884c2c481e3ed8
-
SHA1
63f718d96b53c69d793babe60c86d2bd88ba0d24
-
SHA256
898de00a5dea8ae9e5952eb030212be6a71aed5fab785cbf76837afeb3ecc0d3
-
SHA512
41fcd4258ee8a79f2a054c8bc43d87800057f8c08fd89834f55fb0aeeaf84f5daaff5641494bcf3c9b8d287c1a6815ea19baff31d7e2db52dd7ab97a5474aefb
-
SSDEEP
49152:42IpmRMF620bcNmH6626zjO3eybMKEgZAIgpxn6fBQo0N8qG:OmRoasMsuybQg90pKWoft
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gencoldfire.com - Port:
587 - Username:
[email protected] - Password:
U+&%W@y1mSEUOinP - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
mail.gencoldfire.com - Port:
587 - Username:
[email protected] - Password:
U+&%W@y1mSEUOinP
Targets
-
-
Target
898de00a5dea8ae9e5952eb030212be6a71aed5fab785cbf76837afeb3ecc0d3
-
Size
2.4MB
-
MD5
36e4a9266cb8ec933e884c2c481e3ed8
-
SHA1
63f718d96b53c69d793babe60c86d2bd88ba0d24
-
SHA256
898de00a5dea8ae9e5952eb030212be6a71aed5fab785cbf76837afeb3ecc0d3
-
SHA512
41fcd4258ee8a79f2a054c8bc43d87800057f8c08fd89834f55fb0aeeaf84f5daaff5641494bcf3c9b8d287c1a6815ea19baff31d7e2db52dd7ab97a5474aefb
-
SSDEEP
49152:42IpmRMF620bcNmH6626zjO3eybMKEgZAIgpxn6fBQo0N8qG:OmRoasMsuybQg90pKWoft
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-