General
-
Target
ELATI - Vsl's Particulars.xls.lzh
-
Size
898KB
-
Sample
240703-ka2pmsvbke
-
MD5
45cc4a13797d06461a1c624cae750714
-
SHA1
3da90808f7bcd1d5824e048452228bc88b26baf4
-
SHA256
f18031d48fcfcafe5d8d03f898262bb7cf6f71373a60166de3cc9aac4744aee4
-
SHA512
9b4d20cf471891e5a2ebb51d34f48c78e1215a0001ea5caba596a8588b72f1574514d53f301732cf4fce8884f37eff52954348f5b86212e8c2569ea89020cd4e
-
SSDEEP
24576:JG2xjtAjBwuJI20h0atL+BB1vFmjX89AEKhM2NzX7y5Gv:YYGjOuJ2h1tL+L1I789AQ8j7y5u
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Extracted
Protocol: ftp- Host:
beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Targets
-
-
Target
ELATI - Vsl's Particulars.xls.scr
-
Size
939KB
-
MD5
791a0fa627623ac36da430cef7cdb2af
-
SHA1
315eab67fce67ad032252ad3288d7a91ece4bb61
-
SHA256
d21aa01826da92e7da53cec49fa92adea1bb63d28040a8df6f61d1ee1fad1dbf
-
SHA512
b84ded009d7474b2f35c513fd71f429c78dc62d2a475dd2c2b92bfd36343487f358d09ed4a8213e3deab73fae9e36d85402a7c9af7bdb3722854f57e6efd5182
-
SSDEEP
24576:/iP4R8t0XE9OX3awaO4gBCgXRn6Fz6rKt:/iP4RDXQOHZ4gBCgBWzht
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-