General
-
Target
Payment Slip.exe
-
Size
1.2MB
-
Sample
200712-yrgcf4eyns
-
MD5
02bd06cc6b96833379e8cf6cccb32059
-
SHA1
3d9ad38d59e364d787db741a58bf2d0527f0bf25
-
SHA256
8d5d64d7fe461ea3d2c4ef989b5919dd74f0d7a5803fcaeb23bda4d815f22d83
-
SHA512
5482f466023f832e60dc29a8f283c59ca5f956a7b6012cef3045eb493490a4b99400349ef1da960006c80967fe75a91ddf2ab425247e2ed2cf757804ddd16fd5
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7
Behavioral task
behavioral2
Sample
Payment Slip.exe
Resource
win10v200430
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
onuengr@yandex.com - Password:
esut96092
Targets
-
-
Target
Payment Slip.exe
-
Size
1.2MB
-
MD5
02bd06cc6b96833379e8cf6cccb32059
-
SHA1
3d9ad38d59e364d787db741a58bf2d0527f0bf25
-
SHA256
8d5d64d7fe461ea3d2c4ef989b5919dd74f0d7a5803fcaeb23bda4d815f22d83
-
SHA512
5482f466023f832e60dc29a8f283c59ca5f956a7b6012cef3045eb493490a4b99400349ef1da960006c80967fe75a91ddf2ab425247e2ed2cf757804ddd16fd5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-