General
-
Target
Mvyfnzkjh1.exe
-
Size
628KB
-
Sample
201204-ls7563xda2
-
MD5
654cecf1ecadee45d5bfe723fadd3224
-
SHA1
4be4a787186784dcfa0f3de0802d3e5abcb86963
-
SHA256
eb30592d078a3051e00e887c71cc415f1e80f20f43f1f60b808c5cb2be9cb5c6
-
SHA512
13ea6eb2831aef651c2184da9c5f6a9dc950bee99521c47a86557d45d9913c5cf439d4fed4f66397a63d7f5d7ee5c1335058265665d80ac5f9ab9c3971d19391
Static task
static1
Behavioral task
behavioral1
Sample
Mvyfnzkjh1.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Mvyfnzkjh1.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.impresstilecleaners.com.au - Port:
587 - Username:
gmt@impresstilecleaners.com.au - Password:
Smith@222
Targets
-
-
Target
Mvyfnzkjh1.exe
-
Size
628KB
-
MD5
654cecf1ecadee45d5bfe723fadd3224
-
SHA1
4be4a787186784dcfa0f3de0802d3e5abcb86963
-
SHA256
eb30592d078a3051e00e887c71cc415f1e80f20f43f1f60b808c5cb2be9cb5c6
-
SHA512
13ea6eb2831aef651c2184da9c5f6a9dc950bee99521c47a86557d45d9913c5cf439d4fed4f66397a63d7f5d7ee5c1335058265665d80ac5f9ab9c3971d19391
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-