General
-
Target
1d59332f7287da547355705e5b68f843702c8e24594e03e26299407ca71a07bb
-
Size
399KB
-
Sample
220521-b2hw6sfhfk
-
MD5
fd71e1c11747d334c83c98e7740f8d3c
-
SHA1
3e3edf010cf421284e686a77065c7bd1f610c705
-
SHA256
1d59332f7287da547355705e5b68f843702c8e24594e03e26299407ca71a07bb
-
SHA512
df936467a6a57a61dead6e7437c9cf20795aeb450304f33c00bdda03a299b21b329fcd56eaeaaa2b885f97c3c1f320a58f51a67e54c93898c1c9150a463076d5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.scandinavian-collection.com - Port:
587 - Username:
may@scandinavian-collection.com - Password:
kR6d.DFet#7w
Targets
-
-
Target
du0JE2v67hhKcRX.exe
-
Size
481KB
-
MD5
c51434d4264412203a0b4cf62ef0a8c5
-
SHA1
997f7b881dbd164d557af85d0853bb109b418e14
-
SHA256
c2c23df560d4a51bbbe2d506aa134142ab294ec656c57a53edeec7bde1526429
-
SHA512
52668c87b6734384af3bc665ae74d27e51ffd019f4feb44bb42232cf86c0bbcc859fec4b95ec990f502c163a4987508bd72c75c8be993908124beae258947a56
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-