General
-
Target
Salary.receipt.exe
-
Size
507KB
-
Sample
201109-6axfgxqeqx
-
MD5
2ed6761b5c7c9bb55e0d800c64398192
-
SHA1
28832ad3b22e7a6bce3d16e11aa87654f34acef5
-
SHA256
94b82f0655f1a9554b3cea8e31ac76ffd4cbcb32ebee539fb7706d4ced615fa7
-
SHA512
71a56a17e0a45f7a57a4bba731e0f9b764e74d3cd76ad0ffea82d5f77987446146b2c07380c86d65a9281ef2beb706f81346dd09daf080eb962e0cffcbdd4a7c
Behavioral task
behavioral1
Sample
Salary.receipt.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Salary.receipt.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.emjayes.com - Port:
587 - Username:
alert@emjayes.com - Password:
covid2019$
Targets
-
-
Target
Salary.receipt.exe
-
Size
507KB
-
MD5
2ed6761b5c7c9bb55e0d800c64398192
-
SHA1
28832ad3b22e7a6bce3d16e11aa87654f34acef5
-
SHA256
94b82f0655f1a9554b3cea8e31ac76ffd4cbcb32ebee539fb7706d4ced615fa7
-
SHA512
71a56a17e0a45f7a57a4bba731e0f9b764e74d3cd76ad0ffea82d5f77987446146b2c07380c86d65a9281ef2beb706f81346dd09daf080eb962e0cffcbdd4a7c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-