General
-
Target
eb43407ee7ae51e81270d21db3c2bfb8a480281840bbf3cb212a4b7a51fa7d77
-
Size
585KB
-
Sample
220520-16m45ahhcm
-
MD5
f31396003b7da26165bb3fb8fca2742d
-
SHA1
a50f71b72d43fd00cb0639daf57788810043d1be
-
SHA256
eb43407ee7ae51e81270d21db3c2bfb8a480281840bbf3cb212a4b7a51fa7d77
-
SHA512
d80f4a74246d5d77facbfe2701d29228cbfd83a1f344354bad6e9076e81e2f9fa9835c6d6c495e01b380c2e621ea0b3092eace4eaa7aedffd18b0a5cf814674e
Static task
static1
Behavioral task
behavioral1
Sample
PO#209027_xlxs.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO#209027_xlxs.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
blessing2020
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
blessing2020
Targets
-
-
Target
PO#209027_xlxs.exe
-
Size
618KB
-
MD5
aa08c71f5b944ab021e404a6789c2e99
-
SHA1
3f78a32757d3ed659bd8869d4f0d56c971e58912
-
SHA256
9ffb458e6d120f6d42906c102ce49ecefbe4a937d6b605a4d3a1b3a7dc15e627
-
SHA512
383bac0086bf39b68ffc0f286bfd397b1abd5531321ce030084a5090fbaee37955151ad740b9871fd5569732718f3caf04381c3bb73f08e2d38222955dac1310
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-