General
-
Target
e8333a1fbe05181074ecd56ead461f7cce692f052ec66f9a1527b1445070c013.ace
-
Size
623KB
-
Sample
241120-d87vzs1ckp
-
MD5
78fe1ea79893cb2c0357f24f01fc5237
-
SHA1
f23d1f9beba904a35a1814ec6eded9406dc26aef
-
SHA256
e8333a1fbe05181074ecd56ead461f7cce692f052ec66f9a1527b1445070c013
-
SHA512
b8e889a3f7318f8748ac3d567510c5574456b338f9faeb85f5fc811724cce0fae1e039eba0425826f8d89d23a6c6a1794235ad97bad6d76a7d8209591c3ef37b
-
SSDEEP
12288:P4RCzcHAjY/YdrqnECb86OUK1BILW/Cv7LZ1niTJWtaa55Q98CWnbe2SLGPt7XY:P4RicHN/YdWECb86O9nQ7LZWa3CfzLK+
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://cash4cars.nz - Port:
21 - Username:
[email protected] - Password:
-[([pqM~nGA4
Extracted
Protocol: ftp- Host:
cash4cars.nz - Port:
21 - Username:
[email protected] - Password:
-[([pqM~nGA4
Targets
-
-
Target
MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
-
Size
653KB
-
MD5
296a91d852273bd8f8ea784f814e8e54
-
SHA1
47a5391f798e645c075a074a7cddfab468e449d5
-
SHA256
bdf6c1caee139afdf9122554e47a2b1f56dd5598447dced5cf81cafac1dfb7a0
-
SHA512
0b801c4a4abdff47d84138600eb9db78d68591a12332e2abf00fe0da3b53e51c415a157aae9934bce63ff6ad1c6e7bb8adebcb1bfa12b91f40ec374ce53bd1a6
-
SSDEEP
12288:W1Bo7KvAGZ2/IwuiwQ6CTCPuNCgHt1WH/ctA9upSNtira7Xs:W/o703ZQ5pGPuMgCH/9upTrag
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-