General
-
Target
3c0d10caf3619bdd46f1e8dfadc02045bed65591567a25916daf5368159b00f1.tar
-
Size
807KB
-
Sample
240705-bl7klayenl
-
MD5
d8a7603fa9c90c5a9285779e0e5df41a
-
SHA1
4280142e4bd2b4ef541e2b87881f8c65aff0771d
-
SHA256
3c0d10caf3619bdd46f1e8dfadc02045bed65591567a25916daf5368159b00f1
-
SHA512
dfb052622cb46bc4432cef95943403d31763adf30e240e2baedf3517181d8eb34324b4bda740c8d99a9a35689003b5133469d80c696b97f0d87756e075a4ea75
-
SSDEEP
12288:dLYjofC1PHG1ub2dwZEWBMlQrpNO4904kZwB2JYoUev4y1VJznHhtbKOVDyTVoy:+1m1utZqi9gI0qB2JYofQOznHhhKGy
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
nffplp.com - Port:
587 - Username:
[email protected] - Password:
$Nke%8XIIDtm - Email To:
[email protected]
Extracted
Protocol: smtp- Host:
nffplp.com - Port:
587 - Username:
[email protected] - Password:
$Nke%8XIIDtm
Targets
-
-
Target
SOA Payment for June 30th.exe
-
Size
806KB
-
MD5
63128eeca6e0dabeddfd68c0517d4c91
-
SHA1
eb43eb41464d255d312b6b2aa14428ccd16156da
-
SHA256
45d0c2ec2ede02e8b8ef535346a4e7e06fd52ba27995a15a5f1a0b11e305d4f7
-
SHA512
73fabc52ee53b8ab3e70006c058ad6718b00cdc8259eccb7e545e7223d1cff7f84d670788484b6fdb59ef4930162d0ccbe83f2af4f1ab9fdc3d0577e9a767547
-
SSDEEP
12288:dLYjofC1PHG1ub2dwZEWBMlQrpNO4904kZwB2JYoUev4y1VJznHhtbKOVDyTVoy:+1m1utZqi9gI0qB2JYofQOznHhhKGy
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-