General
-
Target
PO_DEA657-ARFT-HD51012.exe
-
Size
685KB
-
Sample
211021-mtzeqsbadj
-
MD5
6ccb26ef552a1c49f6003dad2d7afd32
-
SHA1
5ae4a9a47b735329695592aad58b8b95ca846c88
-
SHA256
1dc5a420f5f2b1fde70c54cf70d22af94b7fbea0206e9f0c9a20d70ea4660975
-
SHA512
4cf80e5202a20807fafbe9266f160866c736230790589df261cac9825c7cb29e8d254f830993ada661b875c0127612bea861b82ad94dac8feb91e46f24303d29
Static task
static1
Behavioral task
behavioral1
Sample
PO_DEA657-ARFT-HD51012.exe
Resource
win10-de-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.karanex.com - Port:
587 - Username:
kindok@karanex.com - Password:
Oi&-tmhj@d5v
Targets
-
-
Target
PO_DEA657-ARFT-HD51012.exe
-
Size
685KB
-
MD5
6ccb26ef552a1c49f6003dad2d7afd32
-
SHA1
5ae4a9a47b735329695592aad58b8b95ca846c88
-
SHA256
1dc5a420f5f2b1fde70c54cf70d22af94b7fbea0206e9f0c9a20d70ea4660975
-
SHA512
4cf80e5202a20807fafbe9266f160866c736230790589df261cac9825c7cb29e8d254f830993ada661b875c0127612bea861b82ad94dac8feb91e46f24303d29
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Registers COM server for autorun
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-