General
-
Target
Pending Order Confirmation.gz.exe
-
Size
669KB
-
Sample
201126-m9qsh72d6n
-
MD5
fabea57872e14b1facc1f3ff573ae6b9
-
SHA1
d790a7ba0dbe886ca05580eb7f3bd47e7b5879ab
-
SHA256
ae6c488302c04f00a60835db6b955fb8e1eb42f0e73e71873f5b7dc630596755
-
SHA512
7ff1e78602417a2f7b1ccc9e2025851827aef1735605377e48a13a9fc629dffed7cea4262335741a86b82609c7d1b5fdc8a45fd9d611bbdf4fcca0bed98b59b7
Static task
static1
Behavioral task
behavioral1
Sample
Pending Order Confirmation.gz.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.shirdilog.com - Port:
587 - Username:
cs.maa@shirdilog.com - Password:
SL094521
Extracted
Protocol: smtp- Host:
smtp.shirdilog.com - Port:
587 - Username:
cs.maa@shirdilog.com - Password:
SL094521
Targets
-
-
Target
Pending Order Confirmation.gz.exe
-
Size
669KB
-
MD5
fabea57872e14b1facc1f3ff573ae6b9
-
SHA1
d790a7ba0dbe886ca05580eb7f3bd47e7b5879ab
-
SHA256
ae6c488302c04f00a60835db6b955fb8e1eb42f0e73e71873f5b7dc630596755
-
SHA512
7ff1e78602417a2f7b1ccc9e2025851827aef1735605377e48a13a9fc629dffed7cea4262335741a86b82609c7d1b5fdc8a45fd9d611bbdf4fcca0bed98b59b7
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-