General
-
Target
210416-lf21maw8he_pw_infected.zip
-
Size
65KB
-
Sample
210420-7v7zykn12x
-
MD5
0f9aa937fec7bd299d04e2b86f773604
-
SHA1
9a0059f9d911dd79ed9c6da150dcbd49fc4668c1
-
SHA256
95110acd4adb865b07e81e023006891a9da09a0f5851d6c8fae423f018b0a50e
-
SHA512
5b4350a279ff850a6cdf9b48b27b88056f877f6be1e70db0e1f64778f88fb16ab12bd499a56e57e1594f7635062225ff813014a6f8311aa15654c1f5d09b8ba6
Static task
static1
Behavioral task
behavioral1
Sample
Property Details.pdf.bin.exe
Resource
win7v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Money@123
Targets
-
-
Target
Property Details.pdf.bin
-
Size
379KB
-
MD5
3618134640661e484c11406b7bae2aa7
-
SHA1
55f2fcab1e76b94cfdf8537a3675a65ac764d338
-
SHA256
4cc9fc3c6c06119543c1f09d6900c35303905b8d8e18ebc6d9d3d8f6a8ff6507
-
SHA512
a4b30d04d26996aed6738908bec6f32da09e6dd2e1eee971544fe84091ef6faf1325283a58913f6db915d6ad6ba8ebf9177bf692eed7d13cabdf435e7215705b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-