General
-
Target
PO4500005392.exe
-
Size
616KB
-
Sample
201109-rnl8pfbfhj
-
MD5
0529a70c7d01908f3fe58e62a67dd559
-
SHA1
c7795040fd21a6fe53d8bf439925bf043d544ea7
-
SHA256
102ac6c0d193add286a4339d2e63b2d43733d26364df195ecb942c7ae3fb8bfd
-
SHA512
bcee512ff9d26460f51963147d8222ccfe74842ff0acb5ef9aa3cef2eecc0bc8b703380f5db6d3f253cccbffbb05e81fc0c64129963b2debc73e9d5c23d95c07
Static task
static1
Behavioral task
behavioral1
Sample
PO4500005392.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO4500005392.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
dadmed@usa.com - Password:
yahoo1122
Extracted
Protocol: smtp- Host:
smtp.mail.com - Port:
587 - Username:
dadmed@usa.com - Password:
yahoo1122
Targets
-
-
Target
PO4500005392.exe
-
Size
616KB
-
MD5
0529a70c7d01908f3fe58e62a67dd559
-
SHA1
c7795040fd21a6fe53d8bf439925bf043d544ea7
-
SHA256
102ac6c0d193add286a4339d2e63b2d43733d26364df195ecb942c7ae3fb8bfd
-
SHA512
bcee512ff9d26460f51963147d8222ccfe74842ff0acb5ef9aa3cef2eecc0bc8b703380f5db6d3f253cccbffbb05e81fc0c64129963b2debc73e9d5c23d95c07
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-