General
-
Target
RFQ-207480-PR-128311 (2).cab
-
Size
350KB
-
Sample
210421-1jfvjd1y4a
-
MD5
4f6f8247d50c988e5d4891ffbfc7bf5f
-
SHA1
19ae87f1efc34f20c67d82e94aeca42449c2fcc0
-
SHA256
0993b98ff8137f018c33904a462336b55edce03fe26380ba356c65cc99976cb9
-
SHA512
ff92be5cbe33ad0064cdbe49c7967c6ff80fe5475c622c0aebaf9a1c73f615fb917a32f328ed68781d9e7c8eca72c424a9d99a7d8fd5e4a8b371d36bbf184e09
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.t7global-my.com - Port:
587 - Username:
manage@t7global-my.com - Password:
KyDCvxSl$2
Targets
-
-
Target
RFQ-207480-PR-128311 (2).exe
-
Size
460KB
-
MD5
502049e944a8d3bbb0138098597b30e8
-
SHA1
5242d649abb58f4d797bad53c448bd5028a7fdce
-
SHA256
2be649f814ee89705f39489d11d8dc2d32e76ba97cec1f0707edc0ec4b4aa060
-
SHA512
61270a3112f90358050597ddc0c92c70a8d086b42d3e1bcbdabca8751730835f0ccd13ae3536fdcc688fbeedb9d69087acc7bf9d2861a698b68ecce15f164e8d
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-