Trojan Agent Tesla – Malware Analysis


Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25 Family : Agent Tesla Downloaded Sample Link: Click here Signature: Microsoft Visual C# v7.0/ Basic.NET Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe VirusTotal score: Malware behavior: Steal browser information (URL, Usernames, Passwords) Steal passwords for email clients. Steal FTP Clients Steal download manager passwords. Collect OS and hardware information. Browser Information: When I debug the malware executable,… Read More Trojan Agent Tesla – Malware Analysis

Password stealer Trojan – Malware Analysis


Hi Visitor, I got this sample of malware shared on VirusBay. Sample below: SHA256: 630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad Signature: Microsoft Visual C# v7.0/ Basic .Net and its a Windows forms application. Upon execution, this file drops below two files at location C:\Users\<UserProfile>\AppData\Local\Temp\ Dropped files: C:\Users\<UserProfile>\AppData\Local\Temp\FB_2C02.tmp.exe C:\Users\<UserProfile>\AppData\Local\Temp\cc3a68ce1dad95ce662e1c51568e3a.exe (Application Server) Upon execution of this file, it take a screenshot of… Read More Password stealer Trojan – Malware Analysis

Trojan dropper bdf243b7a296f7aecc366c799e3fb865e 3aff7c72d8d942e2b2632a347fe5c3


SHA256: bdf243b7a296f7aecc366c799e3fb865ee3aff7c72d8d942e2b2632a347fe5c3 I downloaded this sample from Malshare. I started decoding PE hex to text file and found that the PE file has embedded another file which will be dropped on execution. Filename: help.exe SHA256: 837bef64239be017a2aac92852576efc7d84774d90f64e9d69c5cc3a2b4ecce4 It also drops Autoexec.bat.exe file and Autoexec.exe files at C:\ location. (But it didn’t drop these files instead it… Read More Trojan dropper bdf243b7a296f7aecc366c799e3fb865e 3aff7c72d8d942e2b2632a347fe5c3

HelpMe.exe malware


VirusTotal:  SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e Tools used for analysis: Ollydbg, WireShark, PEExplorer, I started debugging using Ollydbg. The first warning I received is “Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!” The executable file extracts HelpMe.exe file and… Read More HelpMe.exe malware