General
-
Target
c07980ab00eadc3038ceb9eb725a77ee6501e670fb3cb96ab58a8007981f8f21
-
Size
404KB
-
Sample
220520-3wa3xshfb2
-
MD5
0ea75d0040f4245f61cbf508187e33e7
-
SHA1
22e3fd6015be9159acf87b9f89a0afcfec03b4df
-
SHA256
c07980ab00eadc3038ceb9eb725a77ee6501e670fb3cb96ab58a8007981f8f21
-
SHA512
4729da3d138a03e8bda584123ccad6be285321b88973c55316e29db5bd1d8dae7cfe1843cebb259cae05dce9592f460021284ae2c03ad45b1fccb17e4ffaf358
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.durainteriordesign.com - Port:
587 - Username:
[email protected] - Password:
successman12
Extracted
Protocol: smtp- Host:
mail.durainteriordesign.com - Port:
587 - Username:
[email protected] - Password:
successman12
Targets
-
-
Target
PO102002.exe
-
Size
456KB
-
MD5
13e21e63f32a1f5997b4e3c6f34a046d
-
SHA1
0398f303c169d10015f30e746e27b836d00df9e1
-
SHA256
b7a5fa475f3dffc48dd10e17c0aba7013ba58752baf49fb83e634ca0d16a61ce
-
SHA512
a246e3d24dc300a800109db2c3f4656e98fa7e2dccdba61efa4c3c52f1e76277c4cbc33e131b28b71bd3b141c7d2c14fa80bbbebf1f54df8da6e2d86c82de9fd
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-