General
-
Target
bd40a3549ead6e86664cb5c293d64083_JaffaCakes118
-
Size
266KB
-
Sample
240823-1g9a3azgqr
-
MD5
bd40a3549ead6e86664cb5c293d64083
-
SHA1
b98e7d2ac36befefc67947116e662aee2bdb6f48
-
SHA256
9760939f7944a82916cf2fb969108374fbea6bb77217dbd01899b71b16d8a6a0
-
SHA512
7bd7fd39bde97c4b334212d5de8db574082944d356ddcc7f301a57db49793c387504961f87a3c3cdc0d055b5ad015647019aa8448d054458a1c526ac500d8c6c
-
SSDEEP
6144:vF8ulHgTwgmAvUSHiJOOcZ8eiI6psXv1c5IjquCtF50LpLCD:vdHgTwgmAvtgOOcieikxGzt8LpLm
Malware Config
Targets
-
-
Target
TNTPL 01092033102.exe
-
Size
876KB
-
MD5
7224c9668610d2e7c722e98e2aa937cb
-
SHA1
528fd30e17878c4382170293fde01b3486293c9e
-
SHA256
86b7a8f781a421b4e69ef1538bc1c122b0f317acbab82fa23356dfebb18af991
-
SHA512
da994362157f2909db63ce8bc4eab8073e450e0652750e3153c491c53411ee69bce91796de0d8e5f6dddb5e667bbd1be318c292b34eb4387d625d28114530272
-
SSDEEP
6144:6ZYZWBXFXfMrKmcewHuqIDU7/5mgS7q0XQxvV2B/TsSZ7ADmQK5DLlH:dxFEIDC/5mi5KLsS2KhR
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
System Binary Proxy Execution: InstallUtil
Abuse InstallUtil to proxy execution of malicious code.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-