General
-
Target
PO 32133311.exe
-
Size
1.1MB
-
Sample
200711-t3jwm2ejc6
-
MD5
d9a806cbd0892008214dc9d7ea929e42
-
SHA1
d2a4000105e47ffad495f864a55822658a198724
-
SHA256
bf9caae4940f91401db499ed61a89d3e5ed867bc846f229cced95288739f8dc6
-
SHA512
718eb3a45afa81822cd75e418a8a684b3d3dd3c42fb0857799f0294c853c3a16e146f5afc89933bbe49cfc0ee49a4127c8734fc3f09bd6aaca9f04daf0726ea5
Static task
static1
Behavioral task
behavioral1
Sample
PO 32133311.exe
Resource
win7
Behavioral task
behavioral2
Sample
PO 32133311.exe
Resource
win10v200430
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
esut96092
Targets
-
-
Target
PO 32133311.exe
-
Size
1.1MB
-
MD5
d9a806cbd0892008214dc9d7ea929e42
-
SHA1
d2a4000105e47ffad495f864a55822658a198724
-
SHA256
bf9caae4940f91401db499ed61a89d3e5ed867bc846f229cced95288739f8dc6
-
SHA512
718eb3a45afa81822cd75e418a8a684b3d3dd3c42fb0857799f0294c853c3a16e146f5afc89933bbe49cfc0ee49a4127c8734fc3f09bd6aaca9f04daf0726ea5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-