General
-
Target
cd9b157326d34a9c50e9d2c997b127c4a0b55be835674546359860a36abeb998
-
Size
464KB
-
Sample
220521-cj9slsead7
-
MD5
948ff9f499268c6deab0c37e2a32b925
-
SHA1
0ee441fe3da73d7e4ccb108269fa93f4d4248a9d
-
SHA256
cd9b157326d34a9c50e9d2c997b127c4a0b55be835674546359860a36abeb998
-
SHA512
2a26450a7063e63cccb2e0380faa49ecf79b72c155b2230fd9caff28a5ee059344493e1cfee3e80980524a9646be8a863e7e886265db1a5853d54848463109ac
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Ijeomam288
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Ijeomam288
Targets
-
-
Target
PRODUCT LISTS_____PDF_____0011.exe
-
Size
499KB
-
MD5
bc9fd8f4ea37c6b294ff3a7b4c4f66ce
-
SHA1
48c7c0476a8f55c73be4ff8a2e1938f65514a5da
-
SHA256
145d6a68dc07f5ed56f660761fa8412600d1c553bfcf67b321db725482ff991c
-
SHA512
632e81ce8118a5a52b5008f2cf6dd91896bb8742591ae5a5e7470ea0c72eab06054543e977476bcf5f378f27fe3af1915100b2d34c065e21c53b077308ce9196
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-