General
-
Target
683ff12219b3458fac462cb5044875e68c72b9a90342940a247861c946333ebf
-
Size
451KB
-
Sample
220521-db9y3sfdc4
-
MD5
a26a7d43adadc6d2406967fca2afafdf
-
SHA1
f6375b2a88b414f0af5fbf1c90e25a772156ade4
-
SHA256
683ff12219b3458fac462cb5044875e68c72b9a90342940a247861c946333ebf
-
SHA512
818ef2834c9c477a4a7bd795b9f7687214841056046770c33857ef4de38138ae060ac63f4770b35069724b5d27c54f6fb58dcba4d0d5cb3185d55770a1568974
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sictl.com - Port:
587 - Username:
[email protected] - Password:
Allah123
Targets
-
-
Target
RO009CE44____pdf____.com
-
Size
536KB
-
MD5
6ee5343164c7575008e32bdb11d6d189
-
SHA1
7966286784d8b77aa99c79251862e5497351e42c
-
SHA256
cfcada9f32ecac51e844749839322ed452949ea27728fac1de34580b2319987b
-
SHA512
206325a248f9738f1de8977cb585f802ec390221aceb7d35e571d42b55d5d3859097b37892c5be3349411739d4a52a57bf90f7a39740efb3e9208a2916050f12
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-