General
-
Target
New PO JINDAL GROUP JUNE SUPPLIES.exe
-
Size
707KB
-
Sample
201109-crgpx7pcva
-
MD5
56691af2924510627ff5ebfebbf34ae6
-
SHA1
2da88ce034e652d40d621a1cc3fe5abc6a5c46d5
-
SHA256
bd0942599a238c4cdc3c2da9351ce62e14e6a212513ddd66b9da598fb35dcbf2
-
SHA512
e52797941bb070cbb091387e236218911a7738a623bf4cd4be97e2c9de12985acc115626dde57711ec5b0610b8d88bb6be9ad75d430f06972a16f89c25afd0f9
Static task
static1
Behavioral task
behavioral1
Sample
New PO JINDAL GROUP JUNE SUPPLIES.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
New PO JINDAL GROUP JUNE SUPPLIES.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ilclaw.com.ph - Port:
587 - Username:
emingles@ilclaw.com.ph - Password:
P@ssw0rd
Extracted
Protocol: smtp- Host:
mail.ilclaw.com.ph - Port:
587 - Username:
emingles@ilclaw.com.ph - Password:
P@ssw0rd
Targets
-
-
Target
New PO JINDAL GROUP JUNE SUPPLIES.exe
-
Size
707KB
-
MD5
56691af2924510627ff5ebfebbf34ae6
-
SHA1
2da88ce034e652d40d621a1cc3fe5abc6a5c46d5
-
SHA256
bd0942599a238c4cdc3c2da9351ce62e14e6a212513ddd66b9da598fb35dcbf2
-
SHA512
e52797941bb070cbb091387e236218911a7738a623bf4cd4be97e2c9de12985acc115626dde57711ec5b0610b8d88bb6be9ad75d430f06972a16f89c25afd0f9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-