General
-
Target
Documentidispedizione000293949040405959000.img
-
Size
1.2MB
-
Sample
241122-p3a5ls1kes
-
MD5
935e832972a2ebccd4cc728e12ddbeed
-
SHA1
005f0df29ddf3abeaaec036cfa16e447e8a62faa
-
SHA256
ca5216c9751e826a4ab8dc7b5521939717b4fa020ef9d11006bc37d31e08a0b9
-
SHA512
e3a31bf2b08caaa44d0955f773cf1d198582730fede9d6dfad032e8b49aede1dde10c7c71afaa651975926767595cc92d59808cb30dd0dbb57dae0822736e11c
-
SSDEEP
12288:mO7LcE7rjYvGrCLXBozBd6bRMgvChOW1AsQ6nBhhdBrGZ:sEcu29ozBUVMgvNW1AsQOfRG
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Extracted
Protocol: ftp- Host:
ftp.concaribe.com - Port:
21 - Username:
[email protected] - Password:
ro}UWgz#!38E
Targets
-
-
Target
Documenti di spedizione 000293949040405959000.exe
-
Size
584KB
-
MD5
5d32495cf3af0094a17aa09f76b7d27c
-
SHA1
3009c98452cd000828b3bf0ba8ad5b72d05c7f7e
-
SHA256
e6f50a0c2551c1d2593b8963bac95b0a3f4aad6d6b60d2a4e09d0c70dfd37649
-
SHA512
afa9331ef7fdf6b261b1a1164af17ab52fccb3f24ff659bd6242bf01ba210989bf326e4ba0141cdbb994f0759061f87e498a86fad7d77d566aa26dfcad35ebc1
-
SSDEEP
12288:7O7LcE7rjYvGrCLXBozBd6bRMgvChOW1AsQ6nBhhdBrGZ:ZEcu29ozBUVMgvNW1AsQOfRG
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-