General
-
Target
03783cfb7ad21dbda75d1c0976dd9e76_JaffaCakes118
-
Size
1.6MB
-
Sample
240930-2bbchssbka
-
MD5
03783cfb7ad21dbda75d1c0976dd9e76
-
SHA1
6a3ee724e7997a1e94b13c626371784f41e38b23
-
SHA256
999e990bb183edc20c2fdf22c4897aaef68a1a1ed6005dbfaeab4a85f6e32947
-
SHA512
fe8e83702b9127b5913f7d8a6c54214af4dc15704ed99e49979171a76d36157c369e0383226e43b41d126f5e946088b6919cb6a569c2a740f129adcef94a3786
-
SSDEEP
24576:RAHnh+eWsN3skA4RV1Hom2KXMmHa/1lZ4c+G7f0mcwBfTHDEPAHpjkGX5:oh+ZkldoPK8YavDEYJY+
Malware Config
Targets
-
-
Target
03783cfb7ad21dbda75d1c0976dd9e76_JaffaCakes118
-
Size
1.6MB
-
MD5
03783cfb7ad21dbda75d1c0976dd9e76
-
SHA1
6a3ee724e7997a1e94b13c626371784f41e38b23
-
SHA256
999e990bb183edc20c2fdf22c4897aaef68a1a1ed6005dbfaeab4a85f6e32947
-
SHA512
fe8e83702b9127b5913f7d8a6c54214af4dc15704ed99e49979171a76d36157c369e0383226e43b41d126f5e946088b6919cb6a569c2a740f129adcef94a3786
-
SSDEEP
24576:RAHnh+eWsN3skA4RV1Hom2KXMmHa/1lZ4c+G7f0mcwBfTHDEPAHpjkGX5:oh+ZkldoPK8YavDEYJY+
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Drops file in Drivers directory
-
Drops startup file
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-