General
-
Target
11203780.msi
-
Size
444KB
-
Sample
200630-3wddv8b2r6
-
MD5
7d7c9f126169d3ad991f2b511b466e47
-
SHA1
7795bbdef40832cee08256ebe1cca0c6df8bc740
-
SHA256
75c0601db308796a7e8b5f045f908dd910a4a869cc53d544ed28726ad0eb0537
-
SHA512
cf6e5d6dad7e345b435b91736dae86d6d66ebf726925fc7d843a6c6f773e2a20a10b50ce4533ddf154f48fbc4771f4ee693fb54b0c7106017e40d3649dd95f04
Static task
static1
Behavioral task
behavioral1
Sample
11203780.msi
Resource
win7v200430
Behavioral task
behavioral2
Sample
11203780.msi
Resource
win10
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
pagejeffrey@yandex.com - Password:
$44#@weC0*
Targets
-
-
Target
11203780.msi
-
Size
444KB
-
MD5
7d7c9f126169d3ad991f2b511b466e47
-
SHA1
7795bbdef40832cee08256ebe1cca0c6df8bc740
-
SHA256
75c0601db308796a7e8b5f045f908dd910a4a869cc53d544ed28726ad0eb0537
-
SHA512
cf6e5d6dad7e345b435b91736dae86d6d66ebf726925fc7d843a6c6f773e2a20a10b50ce4533ddf154f48fbc4771f4ee693fb54b0c7106017e40d3649dd95f04
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-