General
-
Target
Confirmation of Proforma Invoice payment.exe
-
Size
772KB
-
Sample
210722-jya98a66f2
-
MD5
05faa69a6a3b27e38fd9cf62af7c7912
-
SHA1
deec4c6629877307a1ff83e45ec51b5cabe9f257
-
SHA256
dd7c1c609857ba8705a55abc0e35b32837c3b31310eaa4a7d43ee1c585ddfb79
-
SHA512
08e95de90eff198e7eba9b973be271e7dd9a8ecb467eef6c4595289e68354c94042ac09eea0ac80374a9eb1fe538110c4325a12dea586c1898ad30bed353e6d2
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation of Proforma Invoice payment.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Confirmation of Proforma Invoice payment.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vistakencana.com.my - Port:
587 - Username:
[email protected] - Password:
m33R3bus!
Targets
-
-
Target
Confirmation of Proforma Invoice payment.exe
-
Size
772KB
-
MD5
05faa69a6a3b27e38fd9cf62af7c7912
-
SHA1
deec4c6629877307a1ff83e45ec51b5cabe9f257
-
SHA256
dd7c1c609857ba8705a55abc0e35b32837c3b31310eaa4a7d43ee1c585ddfb79
-
SHA512
08e95de90eff198e7eba9b973be271e7dd9a8ecb467eef6c4595289e68354c94042ac09eea0ac80374a9eb1fe538110c4325a12dea586c1898ad30bed353e6d2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-