General
-
Target
Revised Invoice.exe
-
Size
515KB
-
Sample
211021-qy4rssbcbl
-
MD5
1ae2e78d2b430f6611846c820d19d627
-
SHA1
2034c7970065c117a663b7a009d5f0c555857234
-
SHA256
96ee59d995670b53d0049b7f763381428b19f87d919b83e1bcdebac90e9846d0
-
SHA512
d9d781b1a31a90900fa3ec99f084c46294e25dfc147f5361107b1dd64b656d9e2e1d5440d5864207479cf8fadf41c04b8a4df97a17f1837f924a3203143a1e8c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.davaobay.com.ph - Port:
587 - Username:
raeburngonzaga@davaobay.com.ph - Password:
p@ssw0rd
Targets
-
-
Target
Revised Invoice.exe
-
Size
515KB
-
MD5
1ae2e78d2b430f6611846c820d19d627
-
SHA1
2034c7970065c117a663b7a009d5f0c555857234
-
SHA256
96ee59d995670b53d0049b7f763381428b19f87d919b83e1bcdebac90e9846d0
-
SHA512
d9d781b1a31a90900fa3ec99f084c46294e25dfc147f5361107b1dd64b656d9e2e1d5440d5864207479cf8fadf41c04b8a4df97a17f1837f924a3203143a1e8c
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-