General
-
Target
COPY OF N-N.zip
-
Size
521KB
-
Sample
210511-22lf9vp25x
-
MD5
ecd2ca9a3bb12f5536705b7e4fe2fcda
-
SHA1
6e7baeaf9376e111c49cd0eb4b9b77ed32a41ed7
-
SHA256
27985ef546ffd6c9239b45bce432f59593c54591d3c2c306ffc5b485d02cf03c
-
SHA512
4a45f9d28be7129e6f375e0af5161aa7ea232c31e027fb401c8609641dfd0efbd1a99c7ecf81dd0af985caba42c51c2ea7fb244a88012228ab66721bcaf504bc
Static task
static1
Behavioral task
behavioral1
Sample
COPY OF N-N.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
COPY OF N-N.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.medamanagement.com - Port:
587 - Username:
info@medamanagement.com - Password:
20@radihX21@Meda
Targets
-
-
Target
COPY OF N-N.exe
-
Size
725KB
-
MD5
e835f5a976ab1d8dd4e4e10813dd2a67
-
SHA1
68d789fcc36fdd8eb5cbb5b58c55cb1d48174c24
-
SHA256
c1269286a5b767fbd0b90c97cc06279b08ed094069932c8d17acc4c3144a218b
-
SHA512
269eac258dd1b830f165b253be7cd533f6a99266fcec1e0c4367eb84098cea0c66bd1b40b0788e57de97e2c387240948d2145abb83230bce1b719360831d080b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-