General
-
Target
SHIPPING ADV#202109.zip
-
Size
425KB
-
Sample
210915-jce3zsdbek
-
MD5
85c5cae427703ebe4021fa8ce265c945
-
SHA1
6fa39c983e33c49ba52bb54e90df73bb9f99bc96
-
SHA256
c72743158ad2d3efab41bfc3c76e48d98139a53bb3786379149316b6cfb42f87
-
SHA512
d3b266008b028df2171a0cd866ff3cd20fa84b762e85ef8cf581027020689f19788c51da327da2d79f9f656193a75f9db4671b4b3d0aa5bfdc882d7a19326a35
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING ADV#202109.exe
Resource
win7v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bsia.co.in - Port:
587 - Username:
yogesh@bsia.co.in - Password:
21mbsia@)@!Y
Targets
-
-
Target
SHIPPING ADV#202109.exe
-
Size
831KB
-
MD5
db00ed0da0d3e5a11fd18a042c5c0c76
-
SHA1
6de345db616385f220843d3c566710aa11a64681
-
SHA256
6674e9af3a42239eaa8455873f2ee7deb83add5bb32b3f40619d9efee701527b
-
SHA512
920aaf4919aeda252d7516e6c6e5c18af984aa3560fe62d34bb3bf84770b97f4ddfc17ea9829410d6e7faa91d8097408840fa33add292143dda734b9343f36ae
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-