General
-
Target
d08da428bc6f02839f81ccd9bcfe41bf802e4b6d3a7f42dd682c424f2ca7116c
-
Size
602KB
-
Sample
250109-bfw7nstnfk
-
MD5
f4e07aa9c08dd390d4242d4571170f0c
-
SHA1
71d0534361571acf8b25c8f133b6c17c4a0750b1
-
SHA256
d08da428bc6f02839f81ccd9bcfe41bf802e4b6d3a7f42dd682c424f2ca7116c
-
SHA512
da236f5f6059fb2edc7794fdda8063eb03f03606800902f8e0e0c72ca5d08754d38803c2f366aebb83327cfcbd83e545adea53fa5e932d112e395a2b32db4741
-
SSDEEP
12288:qug9jk/7Y9A+Xcy6x0r0Y0V3IXiLsQ/3Li8AlSecC5qpAwR6aOQwm:y9S+Myajrpb1/3qS4C6aqm
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.stingatoareincendii.ro - Port:
21 - Username:
[email protected] - Password:
3.*RYhlG)lkA
Targets
-
-
Target
d08da428bc6f02839f81ccd9bcfe41bf802e4b6d3a7f42dd682c424f2ca7116c
-
Size
602KB
-
MD5
f4e07aa9c08dd390d4242d4571170f0c
-
SHA1
71d0534361571acf8b25c8f133b6c17c4a0750b1
-
SHA256
d08da428bc6f02839f81ccd9bcfe41bf802e4b6d3a7f42dd682c424f2ca7116c
-
SHA512
da236f5f6059fb2edc7794fdda8063eb03f03606800902f8e0e0c72ca5d08754d38803c2f366aebb83327cfcbd83e545adea53fa5e932d112e395a2b32db4741
-
SSDEEP
12288:qug9jk/7Y9A+Xcy6x0r0Y0V3IXiLsQ/3Li8AlSecC5qpAwR6aOQwm:y9S+Myajrpb1/3qS4C6aqm
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-