General
-
Target
a8592530826bffe4e397e6f53054c366cef50d567bc9f54ddb4c4a960cb21537
-
Size
2.1MB
-
Sample
220521-ct1yfshefr
-
MD5
6f38eaad5b00fbe6b3798cec38e8f6ec
-
SHA1
48f126f2629b8c5498453ab198b138ee3911ea75
-
SHA256
a8592530826bffe4e397e6f53054c366cef50d567bc9f54ddb4c4a960cb21537
-
SHA512
8a07cc61287634452e38d977b0ed87ab09a508e381a5ca8d3e7502f1abb4fd3130ad804d9f94c621b0b28c2c9d9086daec7b431b23fbc23d8bfe1cb5f1c0c790
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
z123456789ok
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
z123456789ok
Targets
-
-
Target
DIAGRAM.EXE
-
Size
666KB
-
MD5
4f356846f7030367803453f210306628
-
SHA1
960fa757fdb7f628facb24b8b686f20c2fa79382
-
SHA256
f7cc73c4bd3b43e1c4be82c8ea43d8db9bd170acc78031e83f8c71277a2d8990
-
SHA512
7ff8bda0b221bacb3b9c1d9e41e7331374963d51f4e96dcde3e99d477aef8c8d2985144110313415c624bd5c8e48188ac81456396748b1d549a19b68aff9ab86
Score9/10-
Looks for VirtualBox Guest Additions in registry
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
INV45367.EXE
-
Size
441KB
-
MD5
8dfeeb5848cde9dfd0aa8c504eefeda0
-
SHA1
8db0db50f886d43665351dba54fca2652d1db18e
-
SHA256
07314d5b91857ca3814c9388a01179c00d6fd8aeb8ff93a73327cffce42c8650
-
SHA512
d4d0b26035da900546be561b4abde39346309a7069ce58ea0faeb4c9dcdd32aea15880333d937337b62b55510924acc239b98bd119d3cbb087095a2e0222acce
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
-
-
Target
PICS.EXE
-
Size
431KB
-
MD5
c4996221c4549bc88d77fd2f265e6a13
-
SHA1
8516f1e99b52e4f22f3c4ccd75d7858c669375d5
-
SHA256
396f3200a662d0bb44c36326b2501aac7eddb8117b78c956d1569a9d1e83729e
-
SHA512
953f70203797dc35b9bc1e479baf25d417674dfc6c36fc6325caf7f54bfcbb81633b15849efe4c3ee4277b3d1873abf4325bf3c38fb159ee4b036c976726dafe
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-