General
-
Target
d3b8295f6b3580094260cf5a8a26263eb70d8bc844bfd82d7ffee33c1a6da6b5
-
Size
435KB
-
Sample
220521-chs4gadhf7
-
MD5
4207520acfab5d158134a5c4c242467b
-
SHA1
4dab510e7105617b29f1d7e4fe2a1f9172b38757
-
SHA256
d3b8295f6b3580094260cf5a8a26263eb70d8bc844bfd82d7ffee33c1a6da6b5
-
SHA512
d4fd0eb803e3a4ab92dccbe9cade37bc825b95b52e38c6ab773fdb11865e870fc7f4e7c6e2eca9b5c4b75e6a7d51adbd12c204a45636eae77b03a46a3fedaa23
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ilclaw.com.ph - Port:
587 - Username:
[email protected] - Password:
P@ssw0rd
Targets
-
-
Target
Business Proposal AECCFC Scope #20200511.exe
-
Size
680KB
-
MD5
3beb56d44ca6ca36b58b99ccff173d89
-
SHA1
d497bad8ccce793615d22af8fb4f10f0ee830941
-
SHA256
8a8ec6bb5e28a1314eab7ff5c9347bf7ddc567d6cd18f68d26abc364cea0ab8f
-
SHA512
80d26b25643146f2c1f571757301e244ec9a0cd92e59376814bfc490e2b5704edc58cd14489fbe05e4e4e9235de3e14255c2b39bf12d8e87108a0899c314763c
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-