General
-
Target
f1eb2eeb0503f0d22c7a8e72c8c6eb81a488593c1ff8aaba497d0e17f30bba18
-
Size
388KB
-
Sample
220521-bjzrzabhg5
-
MD5
e20ce9159cd27a6cc93d3889c484b51e
-
SHA1
7c668db5d3f2ea2b857567dedbbd9da316749af0
-
SHA256
f1eb2eeb0503f0d22c7a8e72c8c6eb81a488593c1ff8aaba497d0e17f30bba18
-
SHA512
3b02a3f933e3715aa469ec57e15e2483c9f1217702eedeb24dbcbbdf1dea96c9b64a332a5437fc2a28731c7391d4792b42e41562401552cde5a7847549b631fd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.imp-powers.com - Port:
587 - Username:
[email protected] - Password:
AHZlkhbJ1
Extracted
Protocol: smtp- Host:
smtp.imp-powers.com - Port:
587 - Username:
[email protected] - Password:
AHZlkhbJ1
Targets
-
-
Target
OCPI Purchase Order No. 000138 (RV1).exe
-
Size
668KB
-
MD5
e4ebb2f1966b267ad97936ebf0b0b389
-
SHA1
2a175c3b59bea0f304b4f7c184994579dd2dd475
-
SHA256
eb0e9ed08b862d15fc764a1f94b0c05b24387464d96321643872cdc9763a4142
-
SHA512
2d40b3182b56432c535b19d82ee20b5ad66caa8a0b47875eec22c8e97bb275af4ea8c1fb188edcb93cfe5c82ba7fbf4f66d65d3236cb31c7838a5eb927605a7a
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops startup file
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-