General
-
Target
MV. HC SUNSHINE.cab
-
Size
348KB
-
Sample
210421-x93g6wlyxx
-
MD5
c7623a8c3be41a2f2c11cbe1c0c98ece
-
SHA1
13ad375377ae0d5642a0604cd4623c0b0ae65771
-
SHA256
b2455f2d8055ae37a984428cbe56e8bb2006dd19d805e70db985ec1dc3c30673
-
SHA512
3540ef3700834d1dd779264653bd72a70ad1f812f228ba8a3fdefa91b856e1ec05cf6ce977b464046cebc971797df090fd976673b2cc495e84f0705bbc4c7515
Static task
static1
Behavioral task
behavioral1
Sample
MV. HC SUNSHINE.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
MV. HC SUNSHINE.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.hyshippingcn.com - Port:
587 - Username:
plogs112@hyshippingcn.com - Password:
e*u@qkS4
Targets
-
-
Target
MV. HC SUNSHINE.exe
-
Size
479KB
-
MD5
58986c24e1bdbb6a4dc734972f0c2457
-
SHA1
55efb98db1658687405482410c825e2e0645c5ae
-
SHA256
deb49f04e1fd81d2c37e7a8a234d8460c6de4cd2513dca91fc5c6ed84fdae2f1
-
SHA512
e22c6140e11cff9584a963345b77989112fd2400bd0eb8a0b055a1fdc8f90b8e0e4167c8127da34aef30232ab0cabde63cd91b468fbc4757e8d53be04536b63e
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-