General
-
Target
09f71363eeae20550c65800031e142057ca1ebe52be382b0cdc4ad35d8ddba1e
-
Size
336KB
-
Sample
220524-1nsa5ahbe5
-
MD5
756dacf76917f79f5795958815e6dcf7
-
SHA1
24f293e12498264c32d356ad42127cf950b10018
-
SHA256
09f71363eeae20550c65800031e142057ca1ebe52be382b0cdc4ad35d8ddba1e
-
SHA512
c7a20e179e8cb2602fd4d93817ac14202286afa6763abd64cd18627bafdcded056e17263966ea929bf42bb27483653845f1fd059723ddd0030cfe16bd091bacb
Malware Config
Targets
-
-
Target
DOCUMENT.exe
-
Size
402KB
-
MD5
80a0e44a0b9428e5c1c22669de4199c2
-
SHA1
62a712d3b5ffcd9e63a4d91899b05c0fb11e03f3
-
SHA256
02a155cd37b9928135915cc0ca32e4bb683335d1bc1fadec09bd667917e2c734
-
SHA512
6a462ab876c1995bc8d1e42be965e31bedb395b831cddd3b8b0b1c68a0610a1efff0615d2baf630d924b03c27556ce763478bbda2a36e125b0b63b43024e8bb3
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
ReZer0 packer
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-