General
-
Target
a02648d9e8498ef3c2846371680db10f_JaffaCakes118
-
Size
489KB
-
Sample
240612-k51e3axbne
-
MD5
a02648d9e8498ef3c2846371680db10f
-
SHA1
e1629831568e993f984a18c0ff55cbda385f3ee2
-
SHA256
34b1c6c20cd82d093a0e6755ae73f6ed23ff7aa737a2a9e5d30b006a9fd5ad3c
-
SHA512
dc558dc285d8b2e1716ee2f64eb0cba67f59741d963c995563d8ef8271841a0a293905aca624df5618153b733e6bc39a9bc9311497b1ddfabf589d3ef83147d7
-
SSDEEP
12288:7GYoW5lxg/p40yeinCCXFSnB4U+yiDQf18HI/cnuu:7GYNHxg6jXUKbDQN8H6s
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
335410
Targets
-
-
Target
Halkbank_Ekstre_20200603_080247_232393.pdf.exe
-
Size
582KB
-
MD5
32ebeb323b54e54f34c93ac37fbb7c4a
-
SHA1
d04a040ab6138f657396bfbe15f4755488d13a51
-
SHA256
7547000cffcd87e9e090bde11e04477a2ec2f57dfe468c217912e0afa2e530d3
-
SHA512
c8ed211171aab472547bdce074cc6ad706a17720b7a46f54b0ced7751587d2914493234c26582f53babfbf1f9ad454ec22f1902ade2afa990a3ca43a6c33c65d
-
SSDEEP
12288:qS+QOamWtnnGCXFYLBmUQyADQfF8FI/71+zE5z1:nP1BtfXOszDQt8F6
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Drops file in Drivers directory
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-