General
-
Target
999ca0e7913ab5e72f3d01ce7833b024_JaffaCakes118
-
Size
330KB
-
Sample
240606-ar8t6sde97
-
MD5
999ca0e7913ab5e72f3d01ce7833b024
-
SHA1
59f63b41b3241e01f50fad953cd61c7776b13f32
-
SHA256
b6616b1c6c07ec1896a546d43a0e032c7c64407c19ae902ff7c7f0231bff6f46
-
SHA512
9658ac74aace061458036741acd8d76e60b39bd50475b8fe6e4f92956054a2209d0217295323e67c83d414b165f21c336b1a3b654ff93d1f3a57110089211180
-
SSDEEP
6144:w5lJIGMfSo2WkmeMv0VgxxqlAHMNm6fGgyz0SzKE+NrbnFwt+gHlFvb7z:kJIjSokmepy/qln06fIWXFwbTX
Malware Config
Targets
-
-
Target
invoice copy.pdf.exe
-
Size
681KB
-
MD5
8a627edde43c47a592b9f4c9f29f489a
-
SHA1
74f0491f86065a952ad14d19ceb3b59528289af6
-
SHA256
7200b362dfb336483d716fbbd84930894e5c8c28acd6a2ceff2b5da5cd3894fc
-
SHA512
a860d208aaf8ea9f15c41170aba13a9e8a08d972c7bad0251bd53a5cb0cbbb162578b11806a92a9a6f1dea6a44061c3ed1e6166aa0f1d50c87c3e177c3189921
-
SSDEEP
12288:LjBQofmNv8Y2hdFXsnlnOde3+JGDXwLZT0ldgyZbCmlAjt:xQZb8VCr3+EgedF3A5
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-