General
-
Target
Proof of payment.exe
-
Size
608KB
-
Sample
200630-wxtpgwm1lj
-
MD5
2914288341a628164f4288c3ac01c7e2
-
SHA1
58f0225b257725c93f41e92a471d2a2f07029982
-
SHA256
92b3287ca777166f9231da535aa5248d3508ffdae60a53e378316ac079b9b60c
-
SHA512
60c2aeff2bf7e60295214302410c7dd5c078372aec845d8ba836d6a911f051bade61300a765ab0318f0cafc57d55c517dc5f00cba2c0feb921dbade84544ec57
Static task
static1
Behavioral task
behavioral1
Sample
Proof of payment.exe
Resource
win7
Behavioral task
behavioral2
Sample
Proof of payment.exe
Resource
win10v200430
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
logsdetails0@yandex.com - Password:
Hunter$#@145722
Targets
-
-
Target
Proof of payment.exe
-
Size
608KB
-
MD5
2914288341a628164f4288c3ac01c7e2
-
SHA1
58f0225b257725c93f41e92a471d2a2f07029982
-
SHA256
92b3287ca777166f9231da535aa5248d3508ffdae60a53e378316ac079b9b60c
-
SHA512
60c2aeff2bf7e60295214302410c7dd5c078372aec845d8ba836d6a911f051bade61300a765ab0318f0cafc57d55c517dc5f00cba2c0feb921dbade84544ec57
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-