General
-
Target
546b99166b206cd4a3db89b8e97579919a85e98d281632a2b6f5118f1bf5eaac
-
Size
683KB
-
Sample
220521-dg573sagdj
-
MD5
ec1daef60d00a5fd75f73e2263a8e13a
-
SHA1
b166bfa8a5278d156cebb4cacea4f5bc2f8e5625
-
SHA256
546b99166b206cd4a3db89b8e97579919a85e98d281632a2b6f5118f1bf5eaac
-
SHA512
b299712a461338a54d7c18aa1c96e679d4408298ebe6956b7e240c363c83f34bf477bdc8d49b8c1201d0fd386b95f8ff866dbaca0a202692a111a7b4dbc13f96
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.acmasindia.com - Port:
587 - Username:
[email protected] - Password:
7R?_e#f.wLob
Extracted
Protocol: smtp- Host:
mail.acmasindia.com - Port:
587 - Username:
[email protected] - Password:
7R?_e#f.wLob
Targets
-
-
Target
Purchase Order.exe
-
Size
716KB
-
MD5
e5f74fba39a57d9e8f42b3073447b283
-
SHA1
429ab9b34e3cfadce00baf207f4a2a87666785de
-
SHA256
4282ae23bf6e1a962085b045a712056a9d98c1e03d9d77c6a226d3fc7ed89776
-
SHA512
f1754b72140111d0241720407d05e1e610ff08aad96289f2af51461d3ad1e7e0d4741ad7b28724e531a6195969a0105380b982d5509c52a98bb44ae85d95924e
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-