General
-
Target
1b38c1e6bece1fbfd546f1016a6b17d7_JaffaCakes118
-
Size
533KB
-
Sample
240701-n6xbkstemn
-
MD5
1b38c1e6bece1fbfd546f1016a6b17d7
-
SHA1
d129c05f313c86e9186a7753ffc6e5189d0a84f2
-
SHA256
eed1ff326beb0779b3fefef65ca73bec04723ccc72db283557aa6a73a28a3d1f
-
SHA512
8fd05e40c4b4f775b9f1d6b19382d5b8d1424c8bc176c0885c25e8b07174200dc9ba909e4d83dc920e745cd9316fc698242a1d674f805cde9882740b77ec9d1b
-
SSDEEP
6144:PDMAYloj1/L8YEAQwgG5hRCEdMZpj7Sfav0bI8rd6SlV9RNbPtQN:PDMAzjN4YEAFTC+MaPbI8J6SlTPs
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
godisgreat
Targets
-
-
Target
1b38c1e6bece1fbfd546f1016a6b17d7_JaffaCakes118
-
Size
533KB
-
MD5
1b38c1e6bece1fbfd546f1016a6b17d7
-
SHA1
d129c05f313c86e9186a7753ffc6e5189d0a84f2
-
SHA256
eed1ff326beb0779b3fefef65ca73bec04723ccc72db283557aa6a73a28a3d1f
-
SHA512
8fd05e40c4b4f775b9f1d6b19382d5b8d1424c8bc176c0885c25e8b07174200dc9ba909e4d83dc920e745cd9316fc698242a1d674f805cde9882740b77ec9d1b
-
SSDEEP
6144:PDMAYloj1/L8YEAQwgG5hRCEdMZpj7Sfav0bI8rd6SlV9RNbPtQN:PDMAzjN4YEAFTC+MaPbI8J6SlTPs
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-