General
-
Target
08c1acc233ffbfbd00d3a1a96423dda03e9012ce04d064b56c6df47d0a4baa49
-
Size
377KB
-
Sample
220521-d3zx7abgdr
-
MD5
ac0b9fa3eaf901797a96e4c4a0b6b44c
-
SHA1
35e8d896d6b70458f59ac2469fc452be82ab8529
-
SHA256
08c1acc233ffbfbd00d3a1a96423dda03e9012ce04d064b56c6df47d0a4baa49
-
SHA512
8cd16287392380907ffe5615e253fed136c84de92ded2e32c5abce6330351dde46e976d7f516887b6daf144e0fe494ad10d77abb074fd0ca72ad6985b7b7a0db
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gfaqrochem.com - Port:
587 - Username:
turkey@gfaqrochem.com - Password:
FkbjX@(6
Targets
-
-
Target
OC_Y9057241738.exe
-
Size
410KB
-
MD5
e9ed40cd41060913c64c2854b32709cc
-
SHA1
0fee17c5fdc6df6b8df4609494347aa6099d3371
-
SHA256
bb8b06ada96296ed57372c977fd4279afd2d273cb3613080b243f15936c89096
-
SHA512
f599abe39c95d211a6c7d11ecd310078ffb78fdf5f1f7e7c98f6ab1dd92e02bb9f5826f208e4dcdd985a0a68a523ab9b5ccaf017c8da70df9e0bf4e88d1b5107
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-