General
-
Target
Versanddetails.zip
-
Size
14KB
-
Sample
210225-41x438w3xx
-
MD5
d8735d34e47ea8ff0c4db67c2c8b6591
-
SHA1
645ff5f42de05ba1205acf1bff2fc586d77bae75
-
SHA256
9dc946f56abedcea514e8e4269b5da886b3326ed8a2c57878c920d589ba7f89e
-
SHA512
a557c24f2f316c828064109cc7b30169065df3aa0af379c2525636b6d9e7a91554a6f533cb575969ad97f79e8340ca5eb1f00cefc2ca4e5c8a9359db1e729824
Static task
static1
Behavioral task
behavioral1
Sample
Versanddetails.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.greatdeck.co - Port:
587 - Username:
info.network@greatdeck.co - Password:
Greatd@2018$!
Targets
-
-
Target
Versanddetails.exe
-
Size
35KB
-
MD5
8f82e71e8e56b6f336305a8ce2b08179
-
SHA1
39e2a2fa41db2b11af08af08bcc0142a040f7b3c
-
SHA256
1efeaa9d208de92593ac3add9c42fa19835ab05ee56f23bf9fb0cbe03188e415
-
SHA512
3238a610eb790c16929d7ebd386a20a1c88d73dad70a703603b0e56601576ad5bc3566f16441ef2679c28077f5ea4a42cbf6ea9f4c98ecc50e1a9eb095eb1b67
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-