General
-
Target
6d9edc2463192ab41345fd48b44d3ce69c47a2b70097c8e31a153190a18b2b1d
-
Size
412KB
-
Sample
220521-angxaaddgl
-
MD5
6b0708c4751a9d8592aa97796d706523
-
SHA1
d72826024b7f979345ad6c4a33c4df0f5821e6a2
-
SHA256
6d9edc2463192ab41345fd48b44d3ce69c47a2b70097c8e31a153190a18b2b1d
-
SHA512
4b28dd52a2837a8cf14fa837a05051deb4956fe75443ac130a5a127133448d949c2e027c263bea4eb7da2d395e3b5d743c20239c3d2c28c3318732deb677ec04
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.threewaystoharems.com - Port:
587 - Username:
[email protected] - Password:
sales@123456
Extracted
Protocol: smtp- Host:
mail.threewaystoharems.com - Port:
587 - Username:
[email protected] - Password:
sales@123456
Targets
-
-
Target
Purchase Order.exe
-
Size
455KB
-
MD5
0de607d7e44900630a03902716cde06d
-
SHA1
2996fc9fd8b2b09c56b26cfa675acfabe8ae9139
-
SHA256
6567bac453fabf7e0049d881db8ee06561d7aee2262b8181c8e8788a3e18999d
-
SHA512
93577c57782f91cfd88feee3746bae75a051d31aceb64b8291d5b8ecedc520e75473aedbd4ca9903a91bdd4aec3ebb33dd30d2bc37670ef843bc9c4b9443579f
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-