General
-
Target
scan_865784UU.UU.rar
-
Size
654KB
-
Sample
240930-kn98yazhqb
-
MD5
ceb568e2081cb798004db61d8a9ddc5f
-
SHA1
3dd9da21da0f70abf498562feea76596168adf28
-
SHA256
004af6a9a8743250057ea5199c4764ab4d0c472babc5bfbb3b37beb74a4ca986
-
SHA512
42c958d149316f47d5a0b171920dacc58d833f2f1159281894b86b82a2b46d8a2b1655220fd9c10cb989fc0b959d76d617a6c0d82ef5c99e75f80f6e5914527a
-
SSDEEP
12288:L+ydmDlNQOMu9GRqXDR6qB63gYCmgYnZAyuuFqsFQBBeRkO1RYVZlRf+v/94ea:aydtOMu9GRqXN6DQYq2vrFQp2W1faQ
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.fosna.net - Port:
21 - Username:
[email protected] - Password:
(=8fPSH$KO_!
Extracted
Protocol: ftp- Host:
ftp.fosna.net - Port:
21 - Username:
[email protected] - Password:
(=8fPSH$KO_!
Targets
-
-
Target
scan_865784.scr
-
Size
762KB
-
MD5
ab81060e67501bc08bd8a3f9bac5367f
-
SHA1
f877625633f98d1f42c50e37006f808aa61630ba
-
SHA256
7ef4c75ee4a5f3b7f2ac44323d9ba15bcd24f5d0b9e3e04dc330dc6cde421b7c
-
SHA512
61782aa2dc9663cdeb016a0b0dac91cbb4eaee8f293a1f96486539dae32c144643b299c87745657ad0682208aa5586e1ad3340e62f99f371dbdc683eb3b2717a
-
SSDEEP
12288:VUxAdWvsd2eUUHd8GX5b+EE203zQeDZDr0ZeVN1csr8qHv0U3TB39:VUxpa2ZUHd8GXhE20DnFf0MVNrnPx39
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-