General
-
Target
IMAGE...NEW ORDER.PDF.exe
-
Size
618KB
-
Sample
201109-1dtkvsea2e
-
MD5
01f65c63a9678bad1d9bb9d1cd8a3138
-
SHA1
31e6cee64f55b9de9b44cd2891d50b5149d81236
-
SHA256
a7f7e49f95a8d9975a8d8387f08338bb96219410b66bab944c14e1a7e654693f
-
SHA512
e295e8a68c089217e36b5d8786e34b384d8fdaead2863dafdebfe9942786570773d6f9ff8cd81d7a2fc505709cd85854556e035c4742d49426322417d4ee8ddd
Static task
static1
Behavioral task
behavioral1
Sample
IMAGE...NEW ORDER.PDF.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.guthrie.com.sg - Port:
587 - Username:
roytay@guthrie.com.sg - Password:
gut.com.sg
Extracted
Protocol: smtp- Host:
mail.guthrie.com.sg - Port:
587 - Username:
roytay@guthrie.com.sg - Password:
gut.com.sg
Targets
-
-
Target
IMAGE...NEW ORDER.PDF.exe
-
Size
618KB
-
MD5
01f65c63a9678bad1d9bb9d1cd8a3138
-
SHA1
31e6cee64f55b9de9b44cd2891d50b5149d81236
-
SHA256
a7f7e49f95a8d9975a8d8387f08338bb96219410b66bab944c14e1a7e654693f
-
SHA512
e295e8a68c089217e36b5d8786e34b384d8fdaead2863dafdebfe9942786570773d6f9ff8cd81d7a2fc505709cd85854556e035c4742d49426322417d4ee8ddd
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-