General
-
Target
2ac2d91af826847f3e2544b2420a814d
-
Size
819KB
-
Sample
210915-hqya2saad4
-
MD5
2ac2d91af826847f3e2544b2420a814d
-
SHA1
79101b95f1d8171e6e5c4ce4e9d9372466a6259d
-
SHA256
3e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
-
SHA512
9785737408c6345e35d4ebe9f438bd2647f2b9e230b53592a5d3eebfc70b1969d4e1d614bbe44d7579803af51211f84d2060f558b9052875169f55f91195b4fc
Static task
static1
Behavioral task
behavioral1
Sample
2ac2d91af826847f3e2544b2420a814d.exe
Resource
win7v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
mailjege@yandex.com - Password:
recovery111
Targets
-
-
Target
2ac2d91af826847f3e2544b2420a814d
-
Size
819KB
-
MD5
2ac2d91af826847f3e2544b2420a814d
-
SHA1
79101b95f1d8171e6e5c4ce4e9d9372466a6259d
-
SHA256
3e3bf2b2439b584bb039f072d969a4b31f5eb4c03fd8033fec911ff3ed5c1878
-
SHA512
9785737408c6345e35d4ebe9f438bd2647f2b9e230b53592a5d3eebfc70b1969d4e1d614bbe44d7579803af51211f84d2060f558b9052875169f55f91195b4fc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Nirsoft
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-