General
-
Target
62f7752268a1df25462c61c1718174a30e5b5b4c3f2f3e11fb7e7dee5c870087
-
Size
476KB
-
Sample
220521-ddd97aaegq
-
MD5
12ea0c1b0526fb80dfc6a43a390843e7
-
SHA1
5ecaed1c45402b2ede76bcaabdd6268478f45033
-
SHA256
62f7752268a1df25462c61c1718174a30e5b5b4c3f2f3e11fb7e7dee5c870087
-
SHA512
e026cdf6a55e2efb589bd5f43a4c073b4d0c40c86476fb45785d03fbfaa89f8a0c4688737876c5e3f6679884b1d75f6e9ea8294d8d1d8adb0812d9f831b2612e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
dmkozlovd@yandex.ru - Password:
Starboy@22
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
dmkozlovd@yandex.ru - Password:
Starboy@22
Targets
-
-
Target
New Request.exe
-
Size
553KB
-
MD5
abf16f4f5482738b53393f835dd6b9f9
-
SHA1
989529e1969a6b971a632a176862d5291fc5e2a1
-
SHA256
0b6118c17d89a24512971b9190cf4e76b54e0f02cb06d23d899a17feb9fc64f3
-
SHA512
e8dca4d90155c920b11cb2ebf44f65b93374b532a1c5f757937676939f68f254234318aa057b67ae32fdeae31f334f99218c2cb51fed27d3d1bf490317e42e04
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
SnakeBOT
SnakeBOT is a heavily obfuscated .NET downloader.
-
AgentTesla Payload
-
Contains SnakeBOT related strings
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-