General
-
Target
USD_Payment Details.xls
-
Size
95KB
-
Sample
200713-89z65p8vh2
-
MD5
fd1be82d683bde7bdf1ae61d2eda6827
-
SHA1
de3b56b9f7c978cfa7a6e4a2533b9fc7bf0ec909
-
SHA256
6dd03646685c5f0f835db9af5c3e80e3b425fdea1595f81f62bee4550b2a7635
-
SHA512
0cc7ad398cb9255bdfa90ad37f2d78a905826ba6b93ad172797ed366976f065d449bc02e10c662740943b8b4ddee365bc6382be6d6a2cabadc0789709ce5c3e7
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.skibokshotell.no/ - Port:
21 - Username:
[email protected] - Password:
u{psFslG@7Ly
Protocol: ftp- Host:
ftp://ftp.skibokshotell.no/ - Port:
21 - Username:
[email protected] - Password:
u{psFslG@7Ly
Targets
-
-
Target
USD_Payment Details.xls
-
Size
95KB
-
MD5
fd1be82d683bde7bdf1ae61d2eda6827
-
SHA1
de3b56b9f7c978cfa7a6e4a2533b9fc7bf0ec909
-
SHA256
6dd03646685c5f0f835db9af5c3e80e3b425fdea1595f81f62bee4550b2a7635
-
SHA512
0cc7ad398cb9255bdfa90ad37f2d78a905826ba6b93ad172797ed366976f065d449bc02e10c662740943b8b4ddee365bc6382be6d6a2cabadc0789709ce5c3e7
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-