General
-
Target
06092024_1404_04092024_PO89700.PDF.7z
-
Size
607KB
-
Sample
240906-rc9llazfkp
-
MD5
d5d5667ccb487f89d0ae9060e5ee608f
-
SHA1
08f7e45fd4a00f9960ab1390385f6451bcb4204a
-
SHA256
faa00f616a2fbf61a7c9719a55099c89e9a8755b7f5475722ae8b9f97a2e0a9e
-
SHA512
7f7734214195a0d425900465ec8c8b340cdb652fc27587c8fd082e986d9008bcdf15cc63e755f130f8a20be42a2d375ab63c9cec1ab87af994581a5ab006ba3a
-
SSDEEP
12288:J/8saittY5aahtjvBVyRhHOhi0pIykbOLEtZ7mLbrxE2j:Gs5ttEas1BVy7F2I/5KTxE2j
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.jeepcommerce.rs - Port:
21 - Username:
[email protected] - Password:
q[0r3BqZHV[u
Extracted
Protocol: ftp- Host:
ftp.jeepcommerce.rs - Port:
21 - Username:
[email protected] - Password:
q[0r3BqZHV[u
Targets
-
-
Target
po89654.exe
-
Size
667KB
-
MD5
e046d7010507e6501ab1c686631afd23
-
SHA1
60d78477fd3e9a17f782a3abdfdea5d3d7fb5239
-
SHA256
f84fb3796d2afde51b6249b7656cef901cf8b66ae2ea5ba105dabc8683cf4236
-
SHA512
1684cb55bcb4d08c75e6bef3ff8833cf0721899d9ab67f7e6bc4b3bf2531aab240ed8ebccdeb543775806d2b2db4f81a6754596234a73d936756837d385998b1
-
SSDEEP
12288:xs05Es3wtYY5taht1nxVmRhHOh50p8ykbOLVtG7mLbrxUh:uyEs3wyEtsfxVm7k28/RKTxU
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-