General
-
Target
167647227-54134-sdfnt4-2.pdf.exe
-
Size
490KB
-
Sample
201109-hvs1yv325s
-
MD5
c0439cb689521497f7196071bb6d7709
-
SHA1
54871ad8ffc2e1b2c219cc11bd2a0f959478c3b2
-
SHA256
5c133741b443850a940c58eb5a162c485b8186d0db0c99be3962e277eecca550
-
SHA512
63df0c63fe678113185e5b61d5a700e191f1e384c85b91119bdfe8f934a0f4ff1343e6a4f84f8838868b290d34a7674c6f12a67e45db516d35b23f851b48dfb4
Static task
static1
Behavioral task
behavioral1
Sample
167647227-54134-sdfnt4-2.pdf.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
167647227-54134-sdfnt4-2.pdf.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
imateubort@inbox.ru - Password:
rbrt@al72
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
imateubort@inbox.ru - Password:
rbrt@al72
Targets
-
-
Target
167647227-54134-sdfnt4-2.pdf.exe
-
Size
490KB
-
MD5
c0439cb689521497f7196071bb6d7709
-
SHA1
54871ad8ffc2e1b2c219cc11bd2a0f959478c3b2
-
SHA256
5c133741b443850a940c58eb5a162c485b8186d0db0c99be3962e277eecca550
-
SHA512
63df0c63fe678113185e5b61d5a700e191f1e384c85b91119bdfe8f934a0f4ff1343e6a4f84f8838868b290d34a7674c6f12a67e45db516d35b23f851b48dfb4
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-