General
-
Target
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af.exe
-
Size
873KB
-
Sample
240628-bv4v3awdrr
-
MD5
a37f4e7d2f3ac6c995f1986fcc9bb48f
-
SHA1
4e922eccec03db2683096b531801c73227e5ff42
-
SHA256
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
-
SHA512
2959cca5d24deb57910fdd7ae9baae27c3bd0790868730477391e0a7e42fd8aec21225e902c96e46ccd23c2d3b80f8cb9a43d3d4e545fcd2c1d083564d2869ab
-
SSDEEP
12288:XcIjd3nQIQsk3na+Qin2At4FhujlTdp6c4TgONNER+NzYCzXBl5GgCWr2mS:XcIjUna3in2o4FulG4ONNi+NBNlY2amS
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Targets
-
-
Target
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af.exe
-
Size
873KB
-
MD5
a37f4e7d2f3ac6c995f1986fcc9bb48f
-
SHA1
4e922eccec03db2683096b531801c73227e5ff42
-
SHA256
76f267de8fd5fa4744fb8294ee9a4765afeba03b36244527feca60a32df155af
-
SHA512
2959cca5d24deb57910fdd7ae9baae27c3bd0790868730477391e0a7e42fd8aec21225e902c96e46ccd23c2d3b80f8cb9a43d3d4e545fcd2c1d083564d2869ab
-
SSDEEP
12288:XcIjd3nQIQsk3na+Qin2At4FhujlTdp6c4TgONNER+NzYCzXBl5GgCWr2mS:XcIjUna3in2o4FulG4ONNi+NBNlY2amS
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Loads dropped DLL
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
55a26d7800446f1373056064c64c3ce8
-
SHA1
80256857e9a0a9c8897923b717f3435295a76002
-
SHA256
904fd5481d72f4e03b01a455f848dedd095d0fb17e33608e0d849f5196fb6ff8
-
SHA512
04b8ab7a85c26f188c0a06f524488d6f2ac2884bf107c860c82e94ae12c3859f825133d78338fd2b594dfc48f7dc9888ae76fee786c6252a5c77c88755128a5b
-
SSDEEP
192:MPtkumJX7zBE2kGwfy9S9VkPsFQ1Mx1c:97O2k5q9wA1Mxa
Score3/10 -
-
-
Target
Disintricate/keelhauls.scr
-
Size
1.0MB
-
MD5
87a3ce82a211e6022d7145c99eef5edc
-
SHA1
d2aa5daef3272acdee40657353ebb0ba94728e8d
-
SHA256
66bf6c84307739696eb18d632b6a34755375e61f3c612dc273c7f8f25fcad938
-
SHA512
66f2bc1530f6d187749486c7305f069d67964ef5427a6a59f2dc081469f5d608c6e0d2c30edef70a6a79e6386be1528ae2b8725ba704e2d3cf8b2f303d8eb1cf
-
SSDEEP
768:N9lotXK6U6HA/zmsIxzvraRwfj+iMbmwrhg2hnwjYBm2GOP9bsWZafCJL6Ir7wxG:QRPMLzJ
Score1/10 -