General
-
Target
dfddf691b73ffa451dc622937e02d6d871be6e0d9ebe17669094f042198fe9ae
-
Size
1.6MB
-
Sample
220521-bm147scbc8
-
MD5
256d7f3f0d155df9f81808f679b82a67
-
SHA1
d2b777d84163b7297790dd6f3bb96a508ef0c6eb
-
SHA256
dfddf691b73ffa451dc622937e02d6d871be6e0d9ebe17669094f042198fe9ae
-
SHA512
abc51a34f9bfd6cf0c6b00dc440a6d5a6d3effb34da1561b119208971762738341c8139c03cc6a5232ca8b7683405976b464aa13902ef0e1549ce29776df3393
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
43210001234
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
43210001234
Targets
-
-
Target
CL00020Q0332565SCL.exe
-
Size
1.7MB
-
MD5
1a14e4d83979fef847fea0458650259c
-
SHA1
d834b0528a464bace1a9ca27453d23d1dbdec6bd
-
SHA256
4a21af08ec456587b0e3fe9e1ba3c9e64e2058c09ec0e17b7ad690691bb4ca14
-
SHA512
d8fb9fba07e75e6a4c49d5f039ffcd1ba7981476185ea3942bb266bac005fe8576672516b442d199faae20bd215f8ade912e08242c89abaf1a3e72d2ffae0c5d
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-