General
-
Target
b348fec694093d0c7abfd543d8467e72d49c3455ed67bd9ef6bdbf8b1657404e
-
Size
746KB
-
Sample
220521-n2ewqshfbq
-
MD5
9f1a0c6c75b026dc75148e376ad11952
-
SHA1
323b2b45d78460aaf7d2d086280e1da1c216dcea
-
SHA256
b348fec694093d0c7abfd543d8467e72d49c3455ed67bd9ef6bdbf8b1657404e
-
SHA512
15ffc42c23cb471c4753373f56cd14f2589ce7153bc787d4b060c8928d10375bebe3d1f5dc1ee9a957635c21c0ede7954180cf95ff8b8865fd85e63345980cd2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
1234567890Bless#
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
1234567890Bless#
Targets
-
-
Target
order.exe
-
Size
933KB
-
MD5
68d4c5277ba7dc8677e0efa97d45105c
-
SHA1
25db18004d8968d97069929edce2edf21a0d0589
-
SHA256
8f31366103542395f70f39b537d8355e0f59b1605884d0ad2dae0f5c8c8a49d2
-
SHA512
76d04a5d0a17509a9b14d9371a4526c1b421b7d7d3925d0ac21d198333c0ff1c4592025c7ccdbfd8cf7ad2749b64d2f128aa904be4662451d6adf16c14cf6ef0
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-