General
-
Target
PO 321134.exe
-
Size
1.1MB
-
Sample
200707-67tnns93qe
-
MD5
7b2934d2e00efcb5d5dd7ea10c29da17
-
SHA1
710fd63edc49f1d74a714398674400254b76574e
-
SHA256
abf8160dd66f87903ba311f77da9f6b5c66538ffd5eedc9555a46369a6917b27
-
SHA512
1f543a60f91238b97133794dec53d447e1f66952aecab6e754d45bae637412d9eaf2fe38f09dd1efe09f562ee31a46eebb6500775203ae98d5216b07ab94d6ed
Static task
static1
Behavioral task
behavioral1
Sample
PO 321134.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO 321134.exe
Resource
win10
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
[email protected] - Password:
UCHE123456
Targets
-
-
Target
PO 321134.exe
-
Size
1.1MB
-
MD5
7b2934d2e00efcb5d5dd7ea10c29da17
-
SHA1
710fd63edc49f1d74a714398674400254b76574e
-
SHA256
abf8160dd66f87903ba311f77da9f6b5c66538ffd5eedc9555a46369a6917b27
-
SHA512
1f543a60f91238b97133794dec53d447e1f66952aecab6e754d45bae637412d9eaf2fe38f09dd1efe09f562ee31a46eebb6500775203ae98d5216b07ab94d6ed
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-