General
-
Target
83e575d042a213edbaabfb30d896d9e5cf1057e8a71e69135459634a219c18d8
-
Size
444KB
-
Sample
220521-ahzvxadbfr
-
MD5
4b1bfbe1ce190c247ff94cb62eeaf537
-
SHA1
3bfe84b63fd7bee3f70d052e6504c6cca913667c
-
SHA256
83e575d042a213edbaabfb30d896d9e5cf1057e8a71e69135459634a219c18d8
-
SHA512
704f9bf3c08a5ff3635da30a7c6df1fe9f7b7b7546abeedc8e88f8308a24dfd96cfab8089a52bc3cb9bb48fafa62afa3823a1e14027f094676b83717406ddb09
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cybix.in - Port:
587 - Username:
[email protected] - Password:
cybix@16july
Extracted
Protocol: smtp- Host:
mail.cybix.in - Port:
587 - Username:
[email protected] - Password:
cybix@16july
Targets
-
-
Target
invoice#45493002.exe
-
Size
700KB
-
MD5
f9ddf52783af1c41688f095e442e8d90
-
SHA1
5997923a6d046f382df771c498172328541e0c0e
-
SHA256
4fead9952f6496d1c624aded4eb7ff6ba8332efc386834f0618a1780a4de7bd7
-
SHA512
4e3735402e0ed3dc0f027cea485b868075b2c60de6f23aeb99b8e59f761366d8074266fadaa1ada63ebf8e09d60f04450e18ecea7f879c3620ed157f7dbe1434
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-