General
-
Target
9f5d53fdc2d116736278c5a9dea7405a1a1b8f8ce8bb70dcc4ad428bdae1d404
-
Size
421KB
-
Sample
220521-cw3j3aefa4
-
MD5
70a3749dd8e74fdf62dcfe790669b5e0
-
SHA1
7e74c613e07a5817693dc1a4af0cf57e30d7b16f
-
SHA256
9f5d53fdc2d116736278c5a9dea7405a1a1b8f8ce8bb70dcc4ad428bdae1d404
-
SHA512
66fc984f51ffaa8b3282b73d2b863fcaabf1c6a8ef989c3a1f0e4b54482157128e381946c5ecaea0b622fad2f27306af6dc6ecf25302d633dc936afd8b195e28
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mail15.cp247.net - Port:
587 - Username:
[email protected] - Password:
Mm8182
Extracted
Protocol: smtp- Host:
mail.mail15.cp247.net - Port:
587 - Username:
[email protected] - Password:
Mm8182
Targets
-
-
Target
20200519.exe
-
Size
585KB
-
MD5
3dbb45eb1065587b6ca76eebf5be4520
-
SHA1
97f04adbdfa65a6542b9b6dffd13dc863a019aad
-
SHA256
e715f641963c52fe1d33fc6ec7cdecde1d6cdde26cace5ce1d956dc482d1829b
-
SHA512
3f68d162a6121dbb3b05349a689efa82ee5d6d1f4f211fae310d057f37a0879791cb0a545a80b9467bebfd5f57c158942f1401f85a911e9b32311677123aafb9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-