General
-
Target
afeac935741f76e212999a88386d1394_JaffaCakes118
-
Size
489KB
-
Sample
240615-xscvfs1hqd
-
MD5
afeac935741f76e212999a88386d1394
-
SHA1
79a21c65d9ddc41694387d97fda19ded601145e5
-
SHA256
ea84f4dc91ed8d180a74627b7ceca6e1b2e344ed653c0f05037682547b29cfdd
-
SHA512
cec68fe7173d0c20f0ee6733b6eceed1357fb4855822e77d6b09255355805619de6027dde4cfc42ed6980c68ea87a24823e0219b6989c30228deb6e1ed29a306
-
SSDEEP
12288:thl2tDU50N1yYSQ/r8J6MvJttcjFGlOt5Ohn1XI95Vax:fl2FN1u9nqFr+A95Vax
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.deltataxation.com.au - Port:
587 - Username:
[email protected] - Password:
flX?jHei(%+5
Targets
-
-
Target
INV 493178246.exe
-
Size
820KB
-
MD5
94ec06012c2eabfff68c349a5330136a
-
SHA1
833d6264d984eb8816a95d91e4c491c8fb8554f4
-
SHA256
d2e12e778519b6ea35daaef5eadae95b9f9e7f60676c8ddae1b321e384984c63
-
SHA512
0ceaff384363e25e860fc977252b5827b847f61b8532f6a7b725ae829069f078559ebee406ed3bfc164b5f9569e6188078c458172111fc655433b869bc9e74f5
-
SSDEEP
12288:bb6mCM9sXHh9BoRPqsxOVKuS5r70xwgeqh043L97/hOcUW9sqVZEG:qeSHhYRRxOVGcxJBdb12hi
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-