General
-
Target
e349e9d4fd38c51f23ba9cb3d63cd483c25e1daeb91d0dc37fa35a00c83bf5dd
-
Size
620KB
-
Sample
220521-nqj2bahbcq
-
MD5
930c9e47ea7edbbad27bf4d807955e6a
-
SHA1
adf76678f3159a0313132d7e55d1e3b05d3d5249
-
SHA256
e349e9d4fd38c51f23ba9cb3d63cd483c25e1daeb91d0dc37fa35a00c83bf5dd
-
SHA512
0fb3e7844f85b5019c091714e50bc3f167e57cfe6452cc15b764d138785d45d5f0db793e50e504eb80b2e81eae39d88a324ce837fdb7cce15d1c69c07afa27a7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
Smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
shawama1000
Extracted
Protocol: smtp- Host:
Smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
shawama1000
Targets
-
-
Target
img-602105445-0004.exe
-
Size
674KB
-
MD5
eb1e050fb735091e55bd6c5c4c46989e
-
SHA1
42139d4499987f728f2a34cc71aa3d1ba5cc242d
-
SHA256
ae97f320b8367d49172cc3a96acd6bc765ba935ad5426d126f8fcc2b4a2fc094
-
SHA512
63fb56f95c840cdd6df18672786f09beb826b66388ae3ac69c811cd060e0ccf51a076d1fda6650e5f687cfc748422800e94a57699b9976a77737089587d0f49b
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-