General
-
Target
24b407a2f96ca86855a5f35e70e7beae73385af789a2f7f4a33b1a4fac0f6511
-
Size
393KB
-
Sample
220521-dvletsgdb3
-
MD5
ba59ac47c02c3dc48f8a5772a5140b00
-
SHA1
b08d92c46b2dde050b1a251f2cd5faddb7aab152
-
SHA256
24b407a2f96ca86855a5f35e70e7beae73385af789a2f7f4a33b1a4fac0f6511
-
SHA512
cb79b562a6c5544c5b882d9eaabd558e93ba957764cd137f439bd8a11db84d665c96aa110e1b2d36829e7f0b47b80cdad332f8071c839f93d6a0ff103165a8f2
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
solomon12345$$$1
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
solomon12345$$$1
Targets
-
-
Target
purchase order our ref 00298228 MOT3730319292 2020FIRST QUATAR SHIPMENT.exe
-
Size
450KB
-
MD5
3548ba8f5682eb72ba8ba4cace08ef6b
-
SHA1
9438cc7c86c1dd824e03ef746e91d078c973581a
-
SHA256
6f429f659ae1a2982550afb10873ba61aabdd7ee26f54db1c3c26f2634568e25
-
SHA512
1f6f687dd88157461e2c03f9659309bd6ac969892fe03125f15a6517ab522787ca9c7fc4cca2addd1fe3401f6c2526a731614cff63a837c96cfb1518c6e1c1d6
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-