General
-
Target
78fe1ea79893cb2c0357f24f01fc5237.bin
-
Size
623KB
-
Sample
241121-bqys9ayaqq
-
MD5
626f4510211d0f7f43a2cd33058566b0
-
SHA1
35ee143cf31409ad17a5d1887999d252d7a3695b
-
SHA256
9de6d5b538e1d3c49cb630fe24fd7979eaf38d855180335da8023d627a6ae787
-
SHA512
cd92c970f1990173a7b0b2e00da636bf1586def0c4391046e35e21f9f71f17eda77ec8cd578ebe3946e93aa76122e0e5f6083bf456bec6cd485be62946672349
-
SSDEEP
12288:WszF7GBDBdsWZa1l57PJ45+B1fxgTBSXxPxLAsh1iumJuVfKQe:P9GBDjLZ+LPJOaf6TBwlRNidQe
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://cash4cars.nz - Port:
21 - Username:
[email protected] - Password:
-[([pqM~nGA4
Extracted
Protocol: ftp- Host:
cash4cars.nz - Port:
21 - Username:
[email protected] - Password:
-[([pqM~nGA4
Targets
-
-
Target
MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exe
-
Size
653KB
-
MD5
296a91d852273bd8f8ea784f814e8e54
-
SHA1
47a5391f798e645c075a074a7cddfab468e449d5
-
SHA256
bdf6c1caee139afdf9122554e47a2b1f56dd5598447dced5cf81cafac1dfb7a0
-
SHA512
0b801c4a4abdff47d84138600eb9db78d68591a12332e2abf00fe0da3b53e51c415a157aae9934bce63ff6ad1c6e7bb8adebcb1bfa12b91f40ec374ce53bd1a6
-
SSDEEP
12288:W1Bo7KvAGZ2/IwuiwQ6CTCPuNCgHt1WH/ctA9upSNtira7Xs:W/o703ZQ5pGPuMgCH/9upTrag
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-