General
-
Target
AWB# 102235516763.exe
-
Size
525KB
-
Sample
211203-ve41nscac7
-
MD5
becb8d72429e5816f294986a1772e1a6
-
SHA1
d0136b9a5e8443fbdafbd1d97df695f431eb794e
-
SHA256
27ff4d7994a19e27c347e7794e0e48fa5c66f36e4f27ab407f9044494dd8c5a5
-
SHA512
a2e8ce769f9ee539700b3e14e524c96690e72f8a06eb9b2b46ed654d3dfdd66bf04d7a12ac3f637f19f8eaf528e3ad8ece3ff4006268ed822a25ef95cee65923
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.demo.jeninfo.com - Port:
587 - Username:
[email protected] - Password:
%e&qapQ3oNkx
Targets
-
-
Target
AWB# 102235516763.exe
-
Size
525KB
-
MD5
becb8d72429e5816f294986a1772e1a6
-
SHA1
d0136b9a5e8443fbdafbd1d97df695f431eb794e
-
SHA256
27ff4d7994a19e27c347e7794e0e48fa5c66f36e4f27ab407f9044494dd8c5a5
-
SHA512
a2e8ce769f9ee539700b3e14e524c96690e72f8a06eb9b2b46ed654d3dfdd66bf04d7a12ac3f637f19f8eaf528e3ad8ece3ff4006268ed822a25ef95cee65923
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-