General
-
Target
Payment Advice-BG_EDG9502020073103350022_8273_950___________________________________________________________________.exe
-
Size
782KB
-
Sample
210115-hvg9bk4l32
-
MD5
b086aae86678a00efa4b89ade84a1eac
-
SHA1
9106028ea115b4f265fb2d1a7f5ca481a1cff2ab
-
SHA256
6f970b68cad69c0b6d672940e35dde418280598c320ce12f5e322366a07b44d3
-
SHA512
773cd6103d549559899dba8812cdf24399ccb1646afb929e69da6616ce8e8b352710d4f529d6f24da2de4cd80024a8e1f47ed59cdd2b3a29080633b8d68e5db4
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice-BG_EDG9502020073103350022_8273_950___________________________________________________________________.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
benzpollux@vivaldi.net - Password:
sages101Password123
Targets
-
-
Target
Payment Advice-BG_EDG9502020073103350022_8273_950___________________________________________________________________.exe
-
Size
782KB
-
MD5
b086aae86678a00efa4b89ade84a1eac
-
SHA1
9106028ea115b4f265fb2d1a7f5ca481a1cff2ab
-
SHA256
6f970b68cad69c0b6d672940e35dde418280598c320ce12f5e322366a07b44d3
-
SHA512
773cd6103d549559899dba8812cdf24399ccb1646afb929e69da6616ce8e8b352710d4f529d6f24da2de4cd80024a8e1f47ed59cdd2b3a29080633b8d68e5db4
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-