General
-
Target
ORDERR-24102021.bat
-
Size
967KB
-
Sample
211024-r9atjaecf3
-
MD5
f4fa5d26ddfaeb8eb27ef6f1e83424a5
-
SHA1
9d2d7f411bcadfdf49300e370fa29617d482e026
-
SHA256
179d2c41bfd55de708d53b5c422df71f8a121aa67526edff75ba727e45db232f
-
SHA512
79336bc3047058258e77ad2858c39a57d15cf4a855eadd64f84e5e4a7eafac2c9f830688fbad80c7969776381b71ffa7895bc0f07d01f672980bfb7345e3d407
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.rambler.ru - Port:
587 - Username:
[email protected] - Password:
whore1
Targets
-
-
Target
ORDERR-24102021.bat
-
Size
967KB
-
MD5
f4fa5d26ddfaeb8eb27ef6f1e83424a5
-
SHA1
9d2d7f411bcadfdf49300e370fa29617d482e026
-
SHA256
179d2c41bfd55de708d53b5c422df71f8a121aa67526edff75ba727e45db232f
-
SHA512
79336bc3047058258e77ad2858c39a57d15cf4a855eadd64f84e5e4a7eafac2c9f830688fbad80c7969776381b71ffa7895bc0f07d01f672980bfb7345e3d407
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-