General
-
Target
PO2056.scr.exe
-
Size
493KB
-
Sample
201109-7mxmey12q6
-
MD5
03372cc1dcb3916e8f10c5cee22a7a83
-
SHA1
3d469b28ab0c92e71c75e513eebeb0fcfe279542
-
SHA256
b1d81765575179f6a75ca6b10d710624cfb016668d79be17921f0babbe466bfb
-
SHA512
aba7c2121d868c79ca5bd8d41af5c489d63295efebd86362805cddc1718c87deba47cc8b2a829992ade90916d6c83eaf10bd7f4aeb2a04b0899b57cba715e5cc
Malware Config
Extracted
Protocol: smtp- Host:
mail.pftas.com.au - Port:
587 - Username:
ulverstone@pftas.com.au - Password:
pftas108mail
Targets
-
-
Target
PO2056.scr.exe
-
Size
493KB
-
MD5
03372cc1dcb3916e8f10c5cee22a7a83
-
SHA1
3d469b28ab0c92e71c75e513eebeb0fcfe279542
-
SHA256
b1d81765575179f6a75ca6b10d710624cfb016668d79be17921f0babbe466bfb
-
SHA512
aba7c2121d868c79ca5bd8d41af5c489d63295efebd86362805cddc1718c87deba47cc8b2a829992ade90916d6c83eaf10bd7f4aeb2a04b0899b57cba715e5cc
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
rezer0
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-