General
-
Target
S_0100388490101_05_07_20.exe
-
Size
485KB
-
Sample
201109-a7mckvxbd6
-
MD5
e705f67dbef2339a4658d9132dcd9477
-
SHA1
a85bb77015bf5e27e52ce1ee464c65cfb69ebd46
-
SHA256
48c9d6d694174cbbf4f1d52905fab281e1fde291d1d4fbb4db8c97b7ff232cc9
-
SHA512
f68e1cb2757f98a6d98156d59352bc9529f54c29064db6db1b876036f287e4b68e7a0e7308d8d3cdfa555b3ce5119b305928ec97b75a212a983682588c88de6c
Static task
static1
Behavioral task
behavioral1
Sample
S_0100388490101_05_07_20.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
S_0100388490101_05_07_20.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.reacsa.com.mx - Port:
587 - Username:
sucursal_puebla@reacsa.com.mx - Password:
(MzImXmp2u)!
Extracted
Protocol: smtp- Host:
mail.reacsa.com.mx - Port:
587 - Username:
sucursal_puebla@reacsa.com.mx - Password:
(MzImXmp2u)!
Targets
-
-
Target
S_0100388490101_05_07_20.exe
-
Size
485KB
-
MD5
e705f67dbef2339a4658d9132dcd9477
-
SHA1
a85bb77015bf5e27e52ce1ee464c65cfb69ebd46
-
SHA256
48c9d6d694174cbbf4f1d52905fab281e1fde291d1d4fbb4db8c97b7ff232cc9
-
SHA512
f68e1cb2757f98a6d98156d59352bc9529f54c29064db6db1b876036f287e4b68e7a0e7308d8d3cdfa555b3ce5119b305928ec97b75a212a983682588c88de6c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-