General
-
Target
d51117b54077c70b94453d87a8ff5cef_JaffaCakes118
-
Size
363KB
-
Sample
240908-zhnkbaxalg
-
MD5
d51117b54077c70b94453d87a8ff5cef
-
SHA1
2d7eceb50db0c8971f1cd5a465d3f18980aaeb29
-
SHA256
c0c6a30dd701409482381a871aaeb41e194ba57b647a0e903053214a155709a8
-
SHA512
a5a34c2f40487ee9e0826b35d6b3e9473d166571a1acdfd618852f75dcdd40ab8797a9b68bcfd04cb4dab942011a2928886c9903d8df55e78c882e924c39837f
-
SSDEEP
6144:t39qb0D0wjSY4u4BpOBeMO2EWjc6QVoba93gIQmlBF3o+UDXsmVf7U1b6BzUaN:dc0Xr4Qpjc6QV9lXUD3VfL9
Malware Config
Targets
-
-
Target
d51117b54077c70b94453d87a8ff5cef_JaffaCakes118
-
Size
363KB
-
MD5
d51117b54077c70b94453d87a8ff5cef
-
SHA1
2d7eceb50db0c8971f1cd5a465d3f18980aaeb29
-
SHA256
c0c6a30dd701409482381a871aaeb41e194ba57b647a0e903053214a155709a8
-
SHA512
a5a34c2f40487ee9e0826b35d6b3e9473d166571a1acdfd618852f75dcdd40ab8797a9b68bcfd04cb4dab942011a2928886c9903d8df55e78c882e924c39837f
-
SSDEEP
6144:t39qb0D0wjSY4u4BpOBeMO2EWjc6QVoba93gIQmlBF3o+UDXsmVf7U1b6BzUaN:dc0Xr4Qpjc6QV9lXUD3VfL9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-