General
-
Target
Order List.exe
-
Size
41KB
-
Sample
210421-p24k5ac9jj
-
MD5
2400fe7dc0c57c484ee2f27c3ecfa448
-
SHA1
a91970dd408d95ed439bed31d9bddf9357199716
-
SHA256
b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21
-
SHA512
fa4d76516b5c0c97a5fe7a2b88c81cca1a579624dfc5cb9c7c16fb36bb0ca870657bbd2108309f999a4c21cbad0565e16a7c4a9a72915e4b97c837824e7dc557
Static task
static1
Behavioral task
behavioral1
Sample
Order List.exe
Resource
win7v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
lags@d0llartree.com - Password:
mmm777
Targets
-
-
Target
Order List.exe
-
Size
41KB
-
MD5
2400fe7dc0c57c484ee2f27c3ecfa448
-
SHA1
a91970dd408d95ed439bed31d9bddf9357199716
-
SHA256
b337aa4c1b6e496feccad1915924918663620a60962e4200e8704377ae726a21
-
SHA512
fa4d76516b5c0c97a5fe7a2b88c81cca1a579624dfc5cb9c7c16fb36bb0ca870657bbd2108309f999a4c21cbad0565e16a7c4a9a72915e4b97c837824e7dc557
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-