General
-
Target
45675678_B.exe
-
Size
486KB
-
Sample
201109-v8ba31xda2
-
MD5
c677085630237e46e5d80f69ab090ad0
-
SHA1
29986b0e2300bb9a34d6692227dc522d12a92107
-
SHA256
67b2cd29fa6e7d0e7b435506d26c026e853e137dd4cc49f714859f9d75a9a546
-
SHA512
c2342d2b7113676ff2fa3b3213dbebbc3af714cbb01f14bf9b7bb4cf899866ce9ad1eb9f70f8ffeddb248fdf66377c783a4cefc3a7edc6072116955c6ffaa999
Static task
static1
Behavioral task
behavioral1
Sample
45675678_B.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
45675678_B.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
ju5tinemike@yandex.com - Password:
princehero1234
Targets
-
-
Target
45675678_B.exe
-
Size
486KB
-
MD5
c677085630237e46e5d80f69ab090ad0
-
SHA1
29986b0e2300bb9a34d6692227dc522d12a92107
-
SHA256
67b2cd29fa6e7d0e7b435506d26c026e853e137dd4cc49f714859f9d75a9a546
-
SHA512
c2342d2b7113676ff2fa3b3213dbebbc3af714cbb01f14bf9b7bb4cf899866ce9ad1eb9f70f8ffeddb248fdf66377c783a4cefc3a7edc6072116955c6ffaa999
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-