General
-
Target
SecuriteInfo.com.BackDoor.SpyBotNET.25.27102.7892
-
Size
752KB
-
Sample
201126-xstvcdflje
-
MD5
b288063c42fdb8536d026e356fbea312
-
SHA1
399bd3d13a78149204b048e514a79f7ab3762e81
-
SHA256
18d3a183977a47e81f60e8ec7dfe404116b0f0f9a515696752710d6f5c005866
-
SHA512
a1e2af9532785116f8df35d20bfbb46052cb7f1bd4939822809b117e857bdd67a6a3b04eb022b3f56450590e64605d335abf75dc22f3f96d431e0810ac620d22
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BackDoor.SpyBotNET.25.27102.7892.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BackDoor.SpyBotNET.25.27102.7892.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.chinavibratingsieve.com - Port:
587 - Username:
alice@chinavibratingsieve.com - Password:
1234567
Targets
-
-
Target
SecuriteInfo.com.BackDoor.SpyBotNET.25.27102.7892
-
Size
752KB
-
MD5
b288063c42fdb8536d026e356fbea312
-
SHA1
399bd3d13a78149204b048e514a79f7ab3762e81
-
SHA256
18d3a183977a47e81f60e8ec7dfe404116b0f0f9a515696752710d6f5c005866
-
SHA512
a1e2af9532785116f8df35d20bfbb46052cb7f1bd4939822809b117e857bdd67a6a3b04eb022b3f56450590e64605d335abf75dc22f3f96d431e0810ac620d22
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-