General
-
Target
d577f676fbfdcda0e1f513c728db4364_JaffaCakes118
-
Size
238KB
-
Sample
240909-b8pcjawbrn
-
MD5
d577f676fbfdcda0e1f513c728db4364
-
SHA1
f480768cbf615d03733db7f615e2cbb630948bdd
-
SHA256
f70ad1f7b9542c417986653f568b199897b5f0a93e2e112d7cbad305dcbeacf7
-
SHA512
02576bf9a399c4fdecd4d79f06fd70ea5bc1122cccd6310abd8ceb55c7ea0098f63701cdbb49974a83c2ce6c0eb12206124e2560422acfe453b90da68a274a34
-
SSDEEP
6144:Mg1av94JB7dAn8dJzCuoJmt2wG3vYRoBbKxb5ygfGk:z6YB7K87zCuoJmtovHI2k
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
77.83.117.234 - Port:
587 - Username:
[email protected] - Password:
J3fP8xWq
Targets
-
-
Target
RFQ and Company Profile.pdf.exe
-
Size
386KB
-
MD5
91c059e572004c5c4f8849eb57c524ad
-
SHA1
7c2a818b7242522b3511e58a217431b00c9620b6
-
SHA256
c687194bf0e340ebb8b1c699fe8bf642909ae6bd80857e1221afec82a17172ea
-
SHA512
0cfccc73ff996bdaf0e21863215178b077b2e91d73b58194b42f08957519b020b86bf406297f57fdc3a8996def65c712c292176008dea0c8d93c224e5b3c3493
-
SSDEEP
6144:skPlwMCxP4JB71n8xuKq7W9PomjZnInWuXc2iRy9y7Oq9Eq:skPUqB718souaKARyc/9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-