General
-
Target
gunzipped
-
Size
602KB
-
Sample
201109-b9y332dkcn
-
MD5
8ee650d9c83e5e105e523e1431cd6d58
-
SHA1
96c13097506af7965036de864bf0ff48a842af5f
-
SHA256
3845a8f1b22212dbb08c6a9c95c3cc765a2d9676dbe367acf2c24f845b264bf6
-
SHA512
b071921b412e8a6dd1e3f2676cb836b7eb013d5c24a1d4976150b365f531a7c27480f196d6e9d4ee9086bdd7d66c39817c7ce5ce6b11fa6fe22eb6fa58292c4a
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
bin2laden@yandex.com - Password:
gatefee22
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
bin2laden@yandex.com - Password:
gatefee22
Targets
-
-
Target
gunzipped
-
Size
602KB
-
MD5
8ee650d9c83e5e105e523e1431cd6d58
-
SHA1
96c13097506af7965036de864bf0ff48a842af5f
-
SHA256
3845a8f1b22212dbb08c6a9c95c3cc765a2d9676dbe367acf2c24f845b264bf6
-
SHA512
b071921b412e8a6dd1e3f2676cb836b7eb013d5c24a1d4976150b365f531a7c27480f196d6e9d4ee9086bdd7d66c39817c7ce5ce6b11fa6fe22eb6fa58292c4a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-