General
-
Target
Order List.exe
-
Size
41KB
-
Sample
210421-p24k5ac9jj
-
MD5
2400fe7dc0c57c484ee2f27c3ecfa448
-
SHA1
a91970dd408d95ed439bed31d9bddf9357199716
-
SHA256
b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21
-
SHA512
fa4d76516b5c0c97a5fe7a2b88c81cca1a579624dfc5cb9c7c16fb36bb0ca870657bbd2108309f999a4c21cbad0565e16a7c4a9a72915e4b97c837824e7dc557
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
lags@d0llartree.com - Password:
mmm777
Targets
-
-
Target
Order List.exe
-
Size
41KB
-
MD5
2400fe7dc0c57c484ee2f27c3ecfa448
-
SHA1
a91970dd408d95ed439bed31d9bddf9357199716
-
SHA256
b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21
-
SHA512
fa4d76516b5c0c97a5fe7a2b88c81cca1a579624dfc5cb9c7c16fb36bb0ca870657bbd2108309f999a4c21cbad0565e16a7c4a9a72915e4b97c837824e7dc557
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Windows security bypass
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-