General
-
Target
16015107.xlam
-
Size
12KB
-
Sample
200709-1jescq39mj
-
MD5
db3b7d4cfb134c5ad4c74891e23c06e4
-
SHA1
b78856ac0597b12d2befe6ebb055082632529a71
-
SHA256
2e6f88c4dc2322c385d506a81b5127f4361cb824389315d4dbb100e959c8fbc0
-
SHA512
2266ab432712b2a9d4a744bcf0ac852e5573a00fe114c5378bd1e8a87355a6038efc32c38738ea7edb64eb8236458dbfdbc4cadfa84ccef196c20a8f0b153a00
Static task
static1
Behavioral task
behavioral1
Sample
16015107.xlam
Resource
win7v200430
Behavioral task
behavioral2
Sample
16015107.xlam
Resource
win10
Malware Config
Extracted
http://shopcart.indbytes.com/cig/16015107.jpg
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
550fsjftg@-=)
Targets
-
-
Target
16015107.xlam
-
Size
12KB
-
MD5
db3b7d4cfb134c5ad4c74891e23c06e4
-
SHA1
b78856ac0597b12d2befe6ebb055082632529a71
-
SHA256
2e6f88c4dc2322c385d506a81b5127f4361cb824389315d4dbb100e959c8fbc0
-
SHA512
2266ab432712b2a9d4a744bcf0ac852e5573a00fe114c5378bd1e8a87355a6038efc32c38738ea7edb64eb8236458dbfdbc4cadfa84ccef196c20a8f0b153a00
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blacklisted process makes network request
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-