General
-
Target
32d047753dbbe82dd298e3fcf8c1795d695d5d399d40cd18e5bcfe053b4621eb
-
Size
490KB
-
Sample
220521-pcgvgaacan
-
MD5
ff04be0d67fec8d7d7a88e53a9b2f4b4
-
SHA1
084926c97d4f0a9a2bd338256439ab879b92c4d1
-
SHA256
32d047753dbbe82dd298e3fcf8c1795d695d5d399d40cd18e5bcfe053b4621eb
-
SHA512
ce70e19c915fa4e58777ea77d55fba5709552853812dc556b3531b90956a18afe34fcd04fea8b62ce310767ccf7b1e7cd926d41a0fcbf0fef3b1c082432b24c1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
gnaeask@2015
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
gnaeask@2015
Targets
-
-
Target
Order 80347 PRENOTAZIONE SCARICO VS ORDINE NR 80123269.exe
-
Size
533KB
-
MD5
83d0f74f6b77a62e6ef7859f5048004a
-
SHA1
83d7d9dc890acc6c11792b90f2e5f83052d1fd72
-
SHA256
c1e70670831fff1662c4d65b509cadd9f4d493aa94c29e2a3895051179fab082
-
SHA512
258c8c47e6bec5b9ad0452aaf6b9a236b8ec723718c31554965e48e6cd6c354f4fc3149f41910963aedfe703a20728e42825ae4462c29fe8d57f0f4f6a26c8a8
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-