General
-
Target
PO011945-xls.exe
-
Size
491KB
-
Sample
201109-vk7l4h6rbe
-
MD5
ea8c72dc6c0337d0e8369dfe7ead4348
-
SHA1
f9a2908695d54aec96b325473d12d6d6f80bfa52
-
SHA256
2f596498224c1a3dbe1dd61709c82f553ec608c406b13ca6379c27540c0a4d05
-
SHA512
eb8b1aed3317909e2d18888471dc9ce3d58b5f56eb42e7e521047cd1cca3676b8add358263b86f9a16b5d26ee8ed11054a6ce267705bc0834e088fa81f618b50
Static task
static1
Behavioral task
behavioral1
Sample
PO011945-xls.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO011945-xls.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.almushrefcoop.com - Port:
587 - Username:
zainab@almushrefcoop.com - Password:
zainab123
Extracted
Protocol: smtp- Host:
mail.almushrefcoop.com - Port:
587 - Username:
zainab@almushrefcoop.com - Password:
zainab123
Targets
-
-
Target
PO011945-xls.exe
-
Size
491KB
-
MD5
ea8c72dc6c0337d0e8369dfe7ead4348
-
SHA1
f9a2908695d54aec96b325473d12d6d6f80bfa52
-
SHA256
2f596498224c1a3dbe1dd61709c82f553ec608c406b13ca6379c27540c0a4d05
-
SHA512
eb8b1aed3317909e2d18888471dc9ce3d58b5f56eb42e7e521047cd1cca3676b8add358263b86f9a16b5d26ee8ed11054a6ce267705bc0834e088fa81f618b50
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-