General
-
Target
Order_00153PDF.exe
-
Size
690KB
-
Sample
200630-ts9sbveve2
-
MD5
252f872d350234d4dd6025db8b91dcb8
-
SHA1
a53567ce79581942e790a5646cef50bee7a7248b
-
SHA256
1e4142cd35d6a084523300f2a21b42add23f4292002452064360e457a12b5772
-
SHA512
f6cab2ed372a5715618006f03c6ba35b3191f7b90e10138263844ecb2e59188a50484b90d6cbd1548aaf555bf3ca2542955853a36528bbe099a74fe7b31af26d
Static task
static1
Behavioral task
behavioral1
Sample
Order_00153PDF.exe
Resource
win7
Behavioral task
behavioral2
Sample
Order_00153PDF.exe
Resource
win10v200430
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.bmdonline.ro/ - Port:
21 - Username:
webshots@bmdonline.ro - Password:
c^,O(bP@w$&SNN@ossyguru@009988
Protocol: ftp- Host:
ftp://ftp.bmdonline.ro/ - Port:
21 - Username:
webshots@bmdonline.ro - Password:
c^,O(bP@w$&SNN@ossyguru@009988
Targets
-
-
Target
Order_00153PDF.exe
-
Size
690KB
-
MD5
252f872d350234d4dd6025db8b91dcb8
-
SHA1
a53567ce79581942e790a5646cef50bee7a7248b
-
SHA256
1e4142cd35d6a084523300f2a21b42add23f4292002452064360e457a12b5772
-
SHA512
f6cab2ed372a5715618006f03c6ba35b3191f7b90e10138263844ecb2e59188a50484b90d6cbd1548aaf555bf3ca2542955853a36528bbe099a74fe7b31af26d
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-