General
-
Target
Signed PO.exe
-
Size
688KB
-
Sample
201125-qkvk5dvvge
-
MD5
35427a284ae978c86b7eba2738564545
-
SHA1
6b1156236111f3af9754bfea4e61afb42be7d59f
-
SHA256
0096dc44d88cb2dc617a69d3b9fef566a848c661f00bee5a85afcb205a33aba9
-
SHA512
d8e02ab6b6e513de4225bbb0211a1a04957760bc409a0fd6cc94a1297242d1625e81fcbbc23c1feceba481f6380ca15de77891f2b7bbd903fb53fe70093b3435
Static task
static1
Behavioral task
behavioral1
Sample
Signed PO.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.shirdilog.com - Port:
587 - Username:
cs.maa@shirdilog.com - Password:
SL094521
Extracted
Protocol: smtp- Host:
smtp.shirdilog.com - Port:
587 - Username:
cs.maa@shirdilog.com - Password:
SL094521
Targets
-
-
Target
Signed PO.exe
-
Size
688KB
-
MD5
35427a284ae978c86b7eba2738564545
-
SHA1
6b1156236111f3af9754bfea4e61afb42be7d59f
-
SHA256
0096dc44d88cb2dc617a69d3b9fef566a848c661f00bee5a85afcb205a33aba9
-
SHA512
d8e02ab6b6e513de4225bbb0211a1a04957760bc409a0fd6cc94a1297242d1625e81fcbbc23c1feceba481f6380ca15de77891f2b7bbd903fb53fe70093b3435
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-