General
-
Target
DETAILS FOR PAYMENT.exe
-
Size
460KB
-
Sample
200630-hqj8p2tnw2
-
MD5
bdefcef88d4a09ea0fc6850b7d8472b2
-
SHA1
f2cc1cb67df1483017c36a490cdfec97a9a2edb4
-
SHA256
afc6a57a487e1f941dfd4e4000bad832fbd50aeead93e25c3a9be503abedac9d
-
SHA512
85f58d6257e62c738ba86e0cd389d4fbc31d98c992826fa924489de984d07464ca9631596e224d14a219fd04c0c34445d65fd50b0402306880534146c3f5bbf8
Static task
static1
Behavioral task
behavioral1
Sample
DETAILS FOR PAYMENT.exe
Resource
win7
Behavioral task
behavioral2
Sample
DETAILS FOR PAYMENT.exe
Resource
win10v200430
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmakertravel.com - Port:
587 - Username:
smt@starmakertravel.com - Password:
admin2000
Targets
-
-
Target
DETAILS FOR PAYMENT.exe
-
Size
460KB
-
MD5
bdefcef88d4a09ea0fc6850b7d8472b2
-
SHA1
f2cc1cb67df1483017c36a490cdfec97a9a2edb4
-
SHA256
afc6a57a487e1f941dfd4e4000bad832fbd50aeead93e25c3a9be503abedac9d
-
SHA512
85f58d6257e62c738ba86e0cd389d4fbc31d98c992826fa924489de984d07464ca9631596e224d14a219fd04c0c34445d65fd50b0402306880534146c3f5bbf8
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-