General
-
Target
d1c48998f676bd16dfee5fb22274de5ca2e9f3f0c8e7a40e8ad5b2e9df289084
-
Size
444KB
-
Sample
220521-pfawbsfbf9
-
MD5
4e7e15989837d149b6ad0e126ea3fc0f
-
SHA1
8e4eb06ef7e445b17307fcb74add3243934a5129
-
SHA256
d1c48998f676bd16dfee5fb22274de5ca2e9f3f0c8e7a40e8ad5b2e9df289084
-
SHA512
2a0e5b326c0ab1aeefe0e5fb3253d334374c54c6c5e75f3e113a0386111173b8de8ecb56a2b4d1f2ed1207048a0de1c73022fe4912dfe2debca1504fa77af852
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
lazerkesim@nesermetal.com - Password:
335410
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
lazerkesim@nesermetal.com - Password:
335410
Targets
-
-
Target
SKM_C20200526-001000301010.xlsx.exe
-
Size
520KB
-
MD5
a64d7ee07223bffbc1029ca3a3ce9f64
-
SHA1
579d29de22bd1868c3708b0a05af75bb6ee8bcec
-
SHA256
082ec304ab77e60da2af6b4152ed6af68356d22dfd47709eab524659184a8822
-
SHA512
1515f8c9a751c7d5a1302145653bc338c9d7ddfc4495a9e6ea3dd8bcd02f7521fb618c2c748c580a2fc573eedfa47498aab7a9d8c7861c8137b56d698a0f75f9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-