General
-
Target
shipping docs.exe
-
Size
596KB
-
Sample
201109-r72x1p1yhe
-
MD5
fae99f9eac22197d0f347c216fd48fad
-
SHA1
7772562ae60af041560b61286a3de0986f0aa853
-
SHA256
6e3516d6a2dc2681509e0a71ec1a58d6eb9e1b01c96e75dc248c2c5ae3250be8
-
SHA512
05fb8c9ad79c765ff4d2bb417ae9eb752c46a2c904c86632f97c5c27d4751aba2a49399b12c7182d63fa4d2e0fb66e3e48b4596758e7842a0eee59c0f32f2814
Static task
static1
Behavioral task
behavioral1
Sample
shipping docs.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.epaindemgroup.com - Port:
587 - Username:
ekwe@epaindemgroup.com - Password:
}bf9e+EW5s$k
Targets
-
-
Target
shipping docs.exe
-
Size
596KB
-
MD5
fae99f9eac22197d0f347c216fd48fad
-
SHA1
7772562ae60af041560b61286a3de0986f0aa853
-
SHA256
6e3516d6a2dc2681509e0a71ec1a58d6eb9e1b01c96e75dc248c2c5ae3250be8
-
SHA512
05fb8c9ad79c765ff4d2bb417ae9eb752c46a2c904c86632f97c5c27d4751aba2a49399b12c7182d63fa4d2e0fb66e3e48b4596758e7842a0eee59c0f32f2814
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-