General
-
Target
52cbe65053cb32522f4da82fd1d94df0201ab9a4fe11998a19b58ef1f09f13de
-
Size
568KB
-
Sample
240621-b5r91szajr
-
MD5
42da88f4f51f0e18912f161025d91406
-
SHA1
e11f2fcb9c97933fb9fff2ec32d9b7acf695920c
-
SHA256
52cbe65053cb32522f4da82fd1d94df0201ab9a4fe11998a19b58ef1f09f13de
-
SHA512
f52e9e4b4085b1990e14b0a20a6270c24532c6ac0567fb598cdbf80ef4ee36ecab2d4f728844ba86231819b7db546dd07799a79715807323a3c07131990a54af
-
SSDEEP
12288:QU4daTDD2uBKXQJC4EzpWm5jGMw8RgFRZdfknn:Q0+ugAU4ENWmpGiRgFJf
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com - Port:
21 - Username:
tain00 - Password:
computer@2020
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
tain00
Targets
-
-
Target
Documents.exe
-
Size
517KB
-
MD5
154d0832533e203c04a41d1a49a0240f
-
SHA1
cf0ce73cf84fb5f9dba3fc9b89a98a3fa1b581e6
-
SHA256
bfc34d1697120f4c9670b022313ff1a82a5d567a87ec6a097cf1fae2336c77c3
-
SHA512
cb7175d6d4a545a54890adbf3493b42cb6c10441b221a09218d5f67bf9ac10623e71dbb3f87c78ea7a7171c6ec1283f61a142336ba3e4556d66ef867475229aa
-
SSDEEP
12288:qU4daTDD2uBKXQJC4EzpWm5jGMw8RgFRZdfknn:q0+ugAU4ENWmpGiRgFJf
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-