General
-
Target
New PO JINDAL GROUP JUNE SUPPLIES.exe
-
Size
707KB
-
Sample
201109-crgpx7pcva
-
MD5
56691af2924510627ff5ebfebbf34ae6
-
SHA1
2da88ce034e652d40d621a1cc3fe5abc6a5c46d5
-
SHA256
bd0942599a238c4cdc3c2da9351ce62e14e6a212513ddd66b9da598fb35dcbf2
-
SHA512
e52797941bb070cbb091387e236218911a7738a623bf4cd4be97e2c9de12985acc115626dde57711ec5b0610b8d88bb6be9ad75d430f06972a16f89c25afd0f9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ilclaw.com.ph - Port:
587 - Username:
emingles@ilclaw.com.ph - Password:
P@ssw0rd
Extracted
Protocol: smtp- Host:
mail.ilclaw.com.ph - Port:
587 - Username:
emingles@ilclaw.com.ph - Password:
P@ssw0rd
Targets
-
-
Target
New PO JINDAL GROUP JUNE SUPPLIES.exe
-
Size
707KB
-
MD5
56691af2924510627ff5ebfebbf34ae6
-
SHA1
2da88ce034e652d40d621a1cc3fe5abc6a5c46d5
-
SHA256
bd0942599a238c4cdc3c2da9351ce62e14e6a212513ddd66b9da598fb35dcbf2
-
SHA512
e52797941bb070cbb091387e236218911a7738a623bf4cd4be97e2c9de12985acc115626dde57711ec5b0610b8d88bb6be9ad75d430f06972a16f89c25afd0f9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
rezer0
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-