General
-
Target
Purchase List.exe
-
Size
684KB
-
Sample
210225-nfnqg6gtys
-
MD5
e4cf61f665f6162275d903ae9704ab4b
-
SHA1
fae35b4255e8d21822800c06b6bebc467730e422
-
SHA256
902e08a184d5a096905397464b5add020e541af01a856e33935763ceb42f1205
-
SHA512
150179452260cd2c946d312755b20584295645763d4e03152143fd74d55201f8ecb5c1082129b560bcd2a95ada411309a7bcf3db5fd761fc3cf19b3dae1ac3b2
Static task
static1
Behavioral task
behavioral1
Sample
Purchase List.exe
Resource
win7v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.estagold.com.my - Port:
587 - Username:
admin@estagold.com.my - Password:
estagold202584
Targets
-
-
Target
Purchase List.exe
-
Size
684KB
-
MD5
e4cf61f665f6162275d903ae9704ab4b
-
SHA1
fae35b4255e8d21822800c06b6bebc467730e422
-
SHA256
902e08a184d5a096905397464b5add020e541af01a856e33935763ceb42f1205
-
SHA512
150179452260cd2c946d312755b20584295645763d4e03152143fd74d55201f8ecb5c1082129b560bcd2a95ada411309a7bcf3db5fd761fc3cf19b3dae1ac3b2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-