General
-
Target
b745105bc03f3f697f983b99d56274148059f0269e692554e1104aa802ce36df
-
Size
363KB
-
Sample
220521-ngv28aghan
-
MD5
76149159e289c3e5481f9b809ff9a10c
-
SHA1
143e93dcb8fec5fade908b750b9ca4280b74e06a
-
SHA256
b745105bc03f3f697f983b99d56274148059f0269e692554e1104aa802ce36df
-
SHA512
7e4098d5995b2c98fdb906625770dc69fd8ab0542127b0c8d83dd2a0ab9175c91fbcd3cb403fb553c7b5892ec5667d621baf807a411cb862a0a4fca9f8333093
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cybix.in - Port:
587 - Username:
akash.kumar@cybix.in - Password:
cybix@16july
Extracted
Protocol: smtp- Host:
mail.cybix.in - Port:
587 - Username:
akash.kumar@cybix.in - Password:
cybix@16july
Targets
-
-
Target
soft copy.exe
-
Size
432KB
-
MD5
92d75e240cc79a5eca9ef9f19824b12b
-
SHA1
dc5225d1162a439f0d60b175b4aefda6bb2ea672
-
SHA256
cb849228d087071a3aae46c6fc175641a72ff8cde8c7ad8a3a3bb629b87a4d7d
-
SHA512
cff1740ea6deff9d2b7a8c2d3fa5498354826cdfc8699dc19866edbf5de58323e7bead0beac634028b626b8c3d28d1d15cdd4a20c49bde39c2570b406eeddb05
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-