General
-
Target
b011d6f45feac0fc5b1e153d7f0da44b0750c177761bce45a6f7614ea476bb2b
-
Size
636KB
-
Sample
240831-pcfmeaseja
-
MD5
da86d859b56d9d0093c8faaa53c9ef4c
-
SHA1
56fdcfb3d97a32b61b65a2813454d9cc6cdf235d
-
SHA256
b011d6f45feac0fc5b1e153d7f0da44b0750c177761bce45a6f7614ea476bb2b
-
SHA512
6f1299a9519097a94c3a0f41aa5fd6950c8d498ae1894d67d2aa111fbc159b578585ba604d2a7feff2440e3d10f14c38149abe85ddf30bbf168bd108ce276a80
-
SSDEEP
12288:EoKbKEFFbpVTTV/OdAQrtdm/Nqf6Hu2uw0/C+mZ4gFfyXKEdzr:EoKmyBpFlO9+/Nqf6HuU2zq4ggH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.aivazibis.com - Port:
587 - Username:
[email protected] - Password:
kp@BFLC1
Targets
-
-
Target
aa619da09e3fec8627d139e888381ef1dfd8bc79a67b8f473be0ae2e40619c35
-
Size
1.0MB
-
MD5
9e03276a3ccd1da3abc584204dfdf469
-
SHA1
4292112e581499f7eb83f69653f6ee40ea3aa1c3
-
SHA256
aa619da09e3fec8627d139e888381ef1dfd8bc79a67b8f473be0ae2e40619c35
-
SHA512
301d58e9187294ca582ebb31df62367e4043e3811ecbb2c2457d89dd6a6892848dfa7014c6e17c371fa9c3942a95f288bef7e6f1e5a8b0fa353ced0c4a9233ea
-
SSDEEP
12288:+R/iAtfBSkkkkkkkkkkkkkkx9L+kIkkvkkkkkkkk7ZLyzF3feqWu3m1CZHo1SUFs:+RqAtklIAvL3gnvq0A
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-