General
-
Target
188bc6af1002bb1d12923c01becb543f8ce6ddafc9cf7b81e3362afb227dd2d8
-
Size
351KB
-
Sample
220521-pcwnmaaccj
-
MD5
5c10af873f60ab471c93f866a85dbce7
-
SHA1
002e98a7378844305512bf223528bf9e5768632f
-
SHA256
188bc6af1002bb1d12923c01becb543f8ce6ddafc9cf7b81e3362afb227dd2d8
-
SHA512
fb6476679efbf90fb90133c1edf023d22fa0b5a1b17da2b2f10c3bb6d3ad7160d0694db4a3892a6d395b2167b342c334df685a53a7161685554c121c7ad48ab8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.threewaystoharems.com - Port:
587 - Username:
coaching@threewaystoharems.com - Password:
sales@123456
Extracted
Protocol: smtp- Host:
mail.threewaystoharems.com - Port:
587 - Username:
coaching@threewaystoharems.com - Password:
sales@123456
Targets
-
-
Target
purchase order.exe
-
Size
438KB
-
MD5
ff0aaaaebbc20f0803d874beb67ff00b
-
SHA1
f786307b75cd5d2a7e5b8be8e34c999e372a63a9
-
SHA256
b6eecfd6a6e81cebb29940e6ccd64dea0434dfe1203de308dc16fa6271b74000
-
SHA512
95a30d2def90728a0f4100dd053bfb2d3bbea7047dd46b56f0a6e1b35a25e4b1bdde4321cdab7726ee25bf39ddba25bd34037ce8563cbab071c4213e23cbab85
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-