General
-
Target
d3a511d38e652a7c47a03a003bde1c1127bfb33d046673645959df3dfb66afc4
-
Size
422KB
-
Sample
220521-chtp1aghhn
-
MD5
43b828d0b92f48df5228f283206709f1
-
SHA1
90e768b81316d64bc715d39a77bbf4ee17568ab3
-
SHA256
d3a511d38e652a7c47a03a003bde1c1127bfb33d046673645959df3dfb66afc4
-
SHA512
52b78a7d393e1a314d37a590e596bdc974ca4d589d0af8bfb93f4d16af96c70d9c53205d94f14d05287b720d4138c882f1ee79e9e7f65e033306528fe4dcf2ef
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.motivarteperu.com - Port:
587 - Username:
[email protected] - Password:
ugB,+mpj}Qg#
Targets
-
-
Target
URGENT ORDER.exe
-
Size
479KB
-
MD5
f8fa97018ec384c1aece80202867d9d8
-
SHA1
262cb1ff3f11e72965c222a10ca508daa6b7ef0d
-
SHA256
658f85d49b2550e1540494f9503b9bffa0154af96f605d88ca37f0aa7de73741
-
SHA512
ed98694a8ac47dc5a557c26ceb45cd596690abebdb943a8d0957ea474f84eb610e7a285ce7e937b540bb656bb8c911a83589695b82de703ffb0c2223060f243f
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-