General
-
Target
haitianx.exe
-
Size
45KB
-
Sample
210121-jz6gmpnqh6
-
MD5
c2a516ecaa7cd7627eee19decabbedb6
-
SHA1
5799c2d794a9f961e54e4e9726a847bc6fdc52e0
-
SHA256
c29a5c591efd9fd4dab5c5f29fbec995829618ac2c2256523bac884182574e49
-
SHA512
3fece40243b87f4ea6f48796e7086350b080be46f11bae66d4cfc2738de6de78a1a7ec5950aaece71d44b34668b9206a431802b48de87f0980dc23d4f98f69e9
Static task
static1
Behavioral task
behavioral1
Sample
haitianx.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
haitianx.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
polar.argondns.net - Port:
587 - Username:
bretandmix@temsad.com - Password:
]4&w8LUz9*LT
Targets
-
-
Target
haitianx.exe
-
Size
45KB
-
MD5
c2a516ecaa7cd7627eee19decabbedb6
-
SHA1
5799c2d794a9f961e54e4e9726a847bc6fdc52e0
-
SHA256
c29a5c591efd9fd4dab5c5f29fbec995829618ac2c2256523bac884182574e49
-
SHA512
3fece40243b87f4ea6f48796e7086350b080be46f11bae66d4cfc2738de6de78a1a7ec5950aaece71d44b34668b9206a431802b48de87f0980dc23d4f98f69e9
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-