General
-
Target
cfa7f05133b81360e24875fb933f29fb5811736e9b86cf356248b56fecce128c
-
Size
396KB
-
Sample
220521-cjn6xahacp
-
MD5
90aed3e0ddbc381e7c414a3decabe4bc
-
SHA1
3b67a250188a167810236485aaa815ba91a25146
-
SHA256
cfa7f05133b81360e24875fb933f29fb5811736e9b86cf356248b56fecce128c
-
SHA512
345faa2c73afbc9c4163d30e29a95bbdfbf24f371740ffa6a96034e145333e5c269856b61dc36091a28e612b52ccd80c74dc38e4f5ae20060d3d458a1365e6dc
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
OGOM12345
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
OGOM12345
Targets
-
-
Target
Quotation Valves & flanges and fittings.exe
-
Size
419KB
-
MD5
bc31e6b8c5414b43748f2a75ffe32724
-
SHA1
ef1731bc72b671d1cc49447fcd7e9ec2d31d23e9
-
SHA256
2919867ab52378d55e7d91b3b18c30b79c8527621aa9e2c2fe71d0b89dbc404a
-
SHA512
9a47106436969d840858b56a7fc94f4fef652947c628f329eaac8035157e051524991fc3447fa7ace0ea7e39c40d61faa25dea80ceb4edf5d01662cb4c67be5e
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-