General
-
Target
0498e11560e06f4cb1106090c50da8bf183f8abc61d61899f02c5fcc70d124d8
-
Size
822KB
-
Sample
250115-bdymqavpfw
-
MD5
7b01cf5012010e1a56aef49e27369788
-
SHA1
14ba7b037a2073a51e1bd550f5d2b5077622500d
-
SHA256
0498e11560e06f4cb1106090c50da8bf183f8abc61d61899f02c5fcc70d124d8
-
SHA512
d7c959e039202e4719fb5c109a602104f80e0cac8388e8c6df639b2c3fdd333e8308a92863ee352b543c0f46856a74b21d150bb69fadf916626f584cdb9b7c4a
-
SSDEEP
24576:D/bMncfN8zXetwxlaH8UjbR4JEoj/cfPbbjF:DgncqecackbR4JDYPbbB
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.controlfire.com.mx - Port:
21 - Username:
[email protected] - Password:
0a4XlE=4t8mz
Targets
-
-
Target
facturas y datos bancarios_75653475687564534465345.exe
-
Size
2.7MB
-
MD5
5e273002608afde56c1b98c5d66438c4
-
SHA1
ae2d81db9e03a7b98c3d06c8fe6e53be3d9f12b0
-
SHA256
2c319e26c9e897be8aaab05e0451c61bc2335f108298898f47168f610f36899d
-
SHA512
1d9180d89d89f27bf3bb4cbccffd05cdf84ecbdbe6be61656e68069d699e2bcc5da4d5d47bd18f14d5343a34c05a4f2a6120d8de61a20e99f254c199b9842c20
-
SSDEEP
49152:0bdYAm4zEbdYAm4zXbdYAm4zKbdYAm4zFbdYAm4zB3An3AI3AJ3AuObmMM7qAp:mdrWdrrdrAdr1drlA3AaAtAfy7q
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-