General
-
Target
2cc1007c1d98caa3dd09549ba316d764c5cf933ffa184aa4c4d68f325c7047bd
-
Size
751KB
-
Sample
240802-b24tmssgkf
-
MD5
59d3808d2d6630ecc0f7a9fc0beb896d
-
SHA1
8cc9ca1b1863fc38cb518f79ed48790c68808cfe
-
SHA256
2cc1007c1d98caa3dd09549ba316d764c5cf933ffa184aa4c4d68f325c7047bd
-
SHA512
e990e4c3deaf5bc6d0dae2bb79f63ed76f172b682031c9e6d450caa6cc089f1c5618330f4e4d1f267bf1bf015e6f8146424bd70dc30cc5902d68cff6c01ccccd
-
SSDEEP
12288:rwQPH2aJopoz2WvYtwFL28adM6irElMOcm/TkLzkSsYEHJP6fiknlQGs0lc:c0HtJYWvxL2vW+LcmrkHNshHJP6fi2Gp
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.tpsrlc.com - Port:
21 - Username:
[email protected] - Password:
myrecords1248
Extracted
Protocol: ftp- Host:
ftp.tpsrlc.com - Port:
21 - Username:
[email protected] - Password:
myrecords1248
Targets
-
-
Target
2cc1007c1d98caa3dd09549ba316d764c5cf933ffa184aa4c4d68f325c7047bd
-
Size
751KB
-
MD5
59d3808d2d6630ecc0f7a9fc0beb896d
-
SHA1
8cc9ca1b1863fc38cb518f79ed48790c68808cfe
-
SHA256
2cc1007c1d98caa3dd09549ba316d764c5cf933ffa184aa4c4d68f325c7047bd
-
SHA512
e990e4c3deaf5bc6d0dae2bb79f63ed76f172b682031c9e6d450caa6cc089f1c5618330f4e4d1f267bf1bf015e6f8146424bd70dc30cc5902d68cff6c01ccccd
-
SSDEEP
12288:rwQPH2aJopoz2WvYtwFL28adM6irElMOcm/TkLzkSsYEHJP6fiknlQGs0lc:c0HtJYWvxL2vW+LcmrkHNshHJP6fi2Gp
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-