General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.18970
-
Size
1.4MB
-
Sample
210120-kbbn5tbvxs
-
MD5
f14aa539774febdbb336e256eba3738c
-
SHA1
87c54c41c7a0a29e1e4607d8f07b4c665a226b78
-
SHA256
043bdeb2605902253d8f2f35e312910f86b287c6c4d65560b8c3741d65aec9ff
-
SHA512
9b8968a64cfaf69282071de6d2ff152add5256a53a5ae0df31b7f9bed103c55cad0ab9afe29f1503b7e6a69edc639e325f03e693baf49cf2aa7bd64090b737c7
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.18970.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.18970.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.naijajob.net - Port:
587 - Username:
info@naijajob.net - Password:
r]n~Q6,I5hnQ
Targets
-
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.tc.18970
-
Size
1.4MB
-
MD5
f14aa539774febdbb336e256eba3738c
-
SHA1
87c54c41c7a0a29e1e4607d8f07b4c665a226b78
-
SHA256
043bdeb2605902253d8f2f35e312910f86b287c6c4d65560b8c3741d65aec9ff
-
SHA512
9b8968a64cfaf69282071de6d2ff152add5256a53a5ae0df31b7f9bed103c55cad0ab9afe29f1503b7e6a69edc639e325f03e693baf49cf2aa7bd64090b737c7
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-