General
-
Target
851fc7870825a1ed7d054b944ec530dee2bc9c0dd7033b688bbe4f9f4ccd0d0a
-
Size
344KB
-
Sample
220521-bjwejsfaan
-
MD5
2a239a9333d1f5f53cef945d30f58420
-
SHA1
3ce5b97c7a663ae99afe73d84c7c72c4f83d3ae1
-
SHA256
851fc7870825a1ed7d054b944ec530dee2bc9c0dd7033b688bbe4f9f4ccd0d0a
-
SHA512
e7e761f17303479ab3532d4d2d353301d23fff1b30329073e2919792f47eb0e47b138d271205c7d4f11190489e5c34d2abb90d2e733c45054b34a75349474846
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.foximal.com - Port:
587 - Username:
[email protected] - Password:
K((txhr1
Targets
-
-
Target
y0hwbaeq.mr5.exe
-
Size
421KB
-
MD5
5e3ede74d8161582bafb6b76138ed4ee
-
SHA1
2ae555a427151307f9af529aaebcbe13540f2d22
-
SHA256
4f8e17ff868eff91be064b6386912f323527a0ef2a1998f7d620388e4116cb73
-
SHA512
e36f9962696a6f158e608f587974504131faa9c2b8871c6466fe78c150e08e9d28d8fb03e97d0ce87f796c572d55b44fb9dc8d9938106b5f25a659a4ebc70e8b
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-