General
-
Target
A6563764.exe
-
Size
506KB
-
Sample
201109-mhrly1q9gs
-
MD5
8f366af5c2c53e79ca0c9266f78579a5
-
SHA1
49764c16ce6035d15ada170f1890066f1e376177
-
SHA256
919b877e9c76be62e66d349905d10c8bff2613cb1d1b01ee39493dbdbc3b6c32
-
SHA512
3c1829b0000769a8702ad299233e9cf26c33d3d9fac6cd6d47c7139ac45537bb470725f9977f7c3c0f2a07d2c71fa6408526e6e30fbe7ff90ed7a3d08b9afe94
Static task
static1
Behavioral task
behavioral1
Sample
A6563764.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
A6563764.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
workbox1970@mail.ru - Password:
PZAM5i(h1ioy
Targets
-
-
Target
A6563764.exe
-
Size
506KB
-
MD5
8f366af5c2c53e79ca0c9266f78579a5
-
SHA1
49764c16ce6035d15ada170f1890066f1e376177
-
SHA256
919b877e9c76be62e66d349905d10c8bff2613cb1d1b01ee39493dbdbc3b6c32
-
SHA512
3c1829b0000769a8702ad299233e9cf26c33d3d9fac6cd6d47c7139ac45537bb470725f9977f7c3c0f2a07d2c71fa6408526e6e30fbe7ff90ed7a3d08b9afe94
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-