General
-
Target
ba0da96a27a70f0c5a5a21921d50fd32ae89319fec130ddb50691d039f876fa6
-
Size
387KB
-
Sample
220521-cph7vahcfj
-
MD5
81f5e4357ddac06c86c6585378014b47
-
SHA1
e62946caec61f0ff304917d8eed2fc04f14ed685
-
SHA256
ba0da96a27a70f0c5a5a21921d50fd32ae89319fec130ddb50691d039f876fa6
-
SHA512
8f517a0e9b8a0e39acde766554e1d8bcfaf30b56c6b58fa41d42e43e5456d7a7ae5a110346ea4e53a4fb72131624eb485db6e07b99c07fffb8cff82009482a2e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tolipgoldenplaza.com - Port:
587 - Username:
[email protected] - Password:
Golden@#$2019
Extracted
Protocol: smtp- Host:
mail.tolipgoldenplaza.com - Port:
587 - Username:
[email protected] - Password:
Golden@#$2019
Targets
-
-
Target
SOA APRIL.exe
-
Size
421KB
-
MD5
dd5f37195ac446c6f7e09321bcb64a63
-
SHA1
45e979b5abc28b86d3b277b64f8992aec3a4b277
-
SHA256
1753cdd1b934ad14f3b6a767859c941a2f5a3a734834a9ae2ca5204281b1974c
-
SHA512
d50d18c69d93ac9b4811aa8a63d0906e795f2d41f05a9e8b3166eda0a7904e7e426c95b3afabed567f78f31b74dfab78cc00e151c403b27d0d838f0d608c081d
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-