General
-
Target
27f61a512a54ef59344c895f8d3dc86d9f6071b71ad6cb67196739b9872e1e25
-
Size
450KB
-
Sample
220521-dtxrgagcg7
-
MD5
d0913d3fc1db63ee924e2cae70b9f4c5
-
SHA1
1c3fd1c50aa4c089b87fea9af9a9b11a041a015c
-
SHA256
27f61a512a54ef59344c895f8d3dc86d9f6071b71ad6cb67196739b9872e1e25
-
SHA512
04a1eee480f663cbd9a3889eed0de9bf454ad5389ac7a3bb0b1d601c8a66775939f958e0b71abf338eca2eb5725813fb6ea0fab4bf01ffac12b27978b95f0829
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ductoslimpios.com.mx - Port:
587 - Username:
[email protected] - Password:
Nhost+321
Extracted
Protocol: smtp- Host:
mail.ductoslimpios.com.mx - Port:
587 - Username:
[email protected] - Password:
Nhost+321
Targets
-
-
Target
Las transacciones de su cuenta entre el 01.05.2020 - 30.05.2020.exe
-
Size
484KB
-
MD5
32b20f8e93bd7f4092ecc41e593df509
-
SHA1
5649819910784787eecae42dd12394849f8c80fc
-
SHA256
0adddcc2c03723a2282bbec5342b52f6b765973774593125a9b87939e3f8a8c2
-
SHA512
bc2332e179f95b4a8362e65d4b81f6b75f47f5aa25cd3c29956383c12816beb7f6b092a5c62d8fda928c2b9c18d316fa05e3375b96cb98551c74b5bb8380b351
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-