General
-
Target
4a137beab46f691e4228f0fcbe9290a4_JaffaCakes118
-
Size
615KB
-
Sample
241015-z88ceaxglf
-
MD5
4a137beab46f691e4228f0fcbe9290a4
-
SHA1
05ad309bb3ff5ca33e493bcccc018206e92f5813
-
SHA256
c9cec3069cd9d21bf5ab0269b2b5ccc52d56e763cfe4c416906ab5b1c66782aa
-
SHA512
464b2bccd5e6cb226bdb7de76d5cca8d4724ffc910455f8aa540da64263353d2ef08fb8084ca48b42bd1b075315b2791b2cfa96af9ac1b53935aa7da8f14560e
-
SSDEEP
12288:1rOwz79yXuDVtofYii9Nqz/4kIcgrKYbR5F64+jfySHsu9HENpWS:8wz79xotoo73grJt5UfySH9arWS
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.brimaq.com - Port:
587 - Username:
[email protected] - Password:
brimaQ2012 - Email To:
[email protected]
Targets
-
-
Target
SWIFT.exe
-
Size
698KB
-
MD5
73444436aa2a69b9bb1b92a07476f612
-
SHA1
6984d9dc15660d5587b7d1c03c2b55884d1f7261
-
SHA256
ea815dc254189542fbf41ab0fd55823a66c8e5c71ad15f17737824e4a429c4db
-
SHA512
5b526970cae1e1591701ea139b47dc1a8900311e9e241171dde3d27b9449a15f79090490244bd92c15e488a523f9230d827eccb083e2802bb48a4dcb5f0a5511
-
SSDEEP
12288:TdIE/HK7z71Mbl4hRXdbQa1+vCP0EI5m8NEET50pYjTSm4MHPioG9wW9h/i:WX2blqHrCEloYj59
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-