General
-
Target
0cecfa83ee6ea6dd1de38462bbedf15c
-
Size
761KB
-
Sample
210915-hs8vkadbaj
-
MD5
0cecfa83ee6ea6dd1de38462bbedf15c
-
SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45
-
SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
-
SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86
Static task
static1
Behavioral task
behavioral1
Sample
0cecfa83ee6ea6dd1de38462bbedf15c.exe
Resource
win7-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
princeprice@voodome.com - Password:
princeprice@11
Targets
-
-
Target
0cecfa83ee6ea6dd1de38462bbedf15c
-
Size
761KB
-
MD5
0cecfa83ee6ea6dd1de38462bbedf15c
-
SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45
-
SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
-
SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Nirsoft
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-