General
-
Target
f54324caf492c862048a6fd72e56bf3a36f2b8b4e6f0dd74fe07d289b484039f
-
Size
416KB
-
Sample
220521-b9wg8sgeel
-
MD5
b83efd22ede89e2f2aea10b0e889e2a2
-
SHA1
b53c2dc8255fa245f4ada73fda9c488a5daa4ec9
-
SHA256
f54324caf492c862048a6fd72e56bf3a36f2b8b4e6f0dd74fe07d289b484039f
-
SHA512
0f3280d67ee6098ab0936534f37046a9bd5cefa9d6ff8eb69839774b6d7d6f3832d557b7e6a589d60aa2a2d6489e230d6766bdedd5d9c6b347e2aa54cfc63de6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
kok-fung.chin@crowncorke.com - Password:
!9aT1sz8?9SqN
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
kok-fung.chin@crowncorke.com - Password:
!9aT1sz8?9SqN
Targets
-
-
Target
ORDER.exe
-
Size
521KB
-
MD5
77559b96aa85d93521c6a495560752fa
-
SHA1
979df0aab3414738b825adee8bf322f35d77ba90
-
SHA256
6bece1991883897d6c949fa8eeac82f1bc6b7fbfaf581f5b5be776c4230bd007
-
SHA512
ab07c2f3e732d27756cf23c80c8ce99aa9a3456aecc117c614babee7c54881857933725ca235cec83eaab68144eb7d4996417068331242a6e476f5de217439ab
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-