General
-
Target
requested order pdf.exe
-
Size
433KB
-
Sample
200630-mjbq7wqyjs
-
MD5
3a1f0c85d81e3e6cb81e933a5aba35f9
-
SHA1
e1c04f5815de0be4393f79a2848e415c0c43d56e
-
SHA256
b8aecbdc29f182fafff84d4199a808d915eb37488a8fe666e308267aba5e648e
-
SHA512
b90bd351cd37b7cfec8c705f74394cb34623f54593ea1deb96ecd1a75e46c0c12feddc850799eaccefc017a79bd6ccf0f1e1366fcd1cc6b424bb9a6661a668f9
Static task
static1
Behavioral task
behavioral1
Sample
requested order pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
requested order pdf.exe
Resource
win10
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
sirohms@sirohms.com - Password:
lFAvm@p#@z92
Targets
-
-
Target
requested order pdf.exe
-
Size
433KB
-
MD5
3a1f0c85d81e3e6cb81e933a5aba35f9
-
SHA1
e1c04f5815de0be4393f79a2848e415c0c43d56e
-
SHA256
b8aecbdc29f182fafff84d4199a808d915eb37488a8fe666e308267aba5e648e
-
SHA512
b90bd351cd37b7cfec8c705f74394cb34623f54593ea1deb96ecd1a75e46c0c12feddc850799eaccefc017a79bd6ccf0f1e1366fcd1cc6b424bb9a6661a668f9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-