General
-
Target
Invoice.exe
-
Size
696KB
-
Sample
210115-lrz3prb516
-
MD5
f1ce02a0161b6b260bef7b0ddf49412b
-
SHA1
a35bb9b5a57e5b1821b0bfbe33919436a565292b
-
SHA256
49c4ccb66851d9f01f95a8c8d0b68110e8e66bfb36cdecc5637de97ab8c08082
-
SHA512
7b46e7261b07700bbe7ed0dfd0167779ab992fca71b64b82204aa917ceb848dc6e9f5f087513557d286f4d1acfaa006aaf0dea410d50401fd93fc25630ed05de
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Invoice.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.orionfeshion.com - Port:
587 - Username:
wagasurelogs@orionfeshion.com - Password:
LiPwzbc5
Targets
-
-
Target
Invoice.exe
-
Size
696KB
-
MD5
f1ce02a0161b6b260bef7b0ddf49412b
-
SHA1
a35bb9b5a57e5b1821b0bfbe33919436a565292b
-
SHA256
49c4ccb66851d9f01f95a8c8d0b68110e8e66bfb36cdecc5637de97ab8c08082
-
SHA512
7b46e7261b07700bbe7ed0dfd0167779ab992fca71b64b82204aa917ceb848dc6e9f5f087513557d286f4d1acfaa006aaf0dea410d50401fd93fc25630ed05de
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-