General
-
Target
fa8f5883ccac0fb33a0a642267ed4fb9d5eabdf9f60d3628e3c77fae82fca2ef
-
Size
2.3MB
-
Sample
250123-bkgyjswkbj
-
MD5
9a3e313161131cca97a64c18ddb4e1a9
-
SHA1
573ba25534889fed59c4357a265c95fb0d1f538d
-
SHA256
fa8f5883ccac0fb33a0a642267ed4fb9d5eabdf9f60d3628e3c77fae82fca2ef
-
SHA512
ff586171ecec9d25084c740748e13b6febb765ade726e5b702e5897a247e5b78868a0e6918bb1163e0474565f90876bd8dc8233187d56c267a4fdebb4ad1795c
-
SSDEEP
24576:mCKcIvUSx5dQ2/xe7fVr99cVf+5x4yS6Z0XpItJSeIUt9cGl3E7KgW6dSWD0aT:E75dQ2/w9gxoZ0XmtYeLvvl3ERdvD0
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7351654760:AAFbpZoZSrKZKoCJV2by7hbyBL3xnGEoUrU/
Targets
-
-
Target
fa8f5883ccac0fb33a0a642267ed4fb9d5eabdf9f60d3628e3c77fae82fca2ef
-
Size
2.3MB
-
MD5
9a3e313161131cca97a64c18ddb4e1a9
-
SHA1
573ba25534889fed59c4357a265c95fb0d1f538d
-
SHA256
fa8f5883ccac0fb33a0a642267ed4fb9d5eabdf9f60d3628e3c77fae82fca2ef
-
SHA512
ff586171ecec9d25084c740748e13b6febb765ade726e5b702e5897a247e5b78868a0e6918bb1163e0474565f90876bd8dc8233187d56c267a4fdebb4ad1795c
-
SSDEEP
24576:mCKcIvUSx5dQ2/xe7fVr99cVf+5x4yS6Z0XpItJSeIUt9cGl3E7KgW6dSWD0aT:E75dQ2/w9gxoZ0XmtYeLvvl3ERdvD0
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-