General
-
Target
5a1c83d3446285b1515956cdc98bb8373d267178e1a219aabf5a9e51b50ae4f2
-
Size
473KB
-
Sample
220521-dfswcsffb3
-
MD5
f81bc06a3d7c21f9e67c917a77c8139d
-
SHA1
65d6a590f1e275f1296354ef9fadaa8392533e64
-
SHA256
5a1c83d3446285b1515956cdc98bb8373d267178e1a219aabf5a9e51b50ae4f2
-
SHA512
0f8d3ec68f5afefda7d968235f19d56379ce0358431e244c0947bab230b17a1c609f2376afbba37a06c81c07fb5b871770cfe209a5859221d026cf010ceab51e
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
killdemall007
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
killdemall007
Targets
-
-
Target
Payment doc747322.exe
-
Size
491KB
-
MD5
88087279864b6d4db153f6dd9c68f065
-
SHA1
7e8a69d8aecc43d9449af37efb5fcdaee1cf4166
-
SHA256
112fe86589f5587620a62be8ebeab2ee9898f770762f7be2b92a229c46d52917
-
SHA512
7c9003242e32bbca7890e0393c370686e3a4011e98e6b3c77859d73d6b97ab89752c1da3c2909bee3ee72333117721f63ecdb856317ebde71cb8ed854c786dfd
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-