General
-
Target
d167d1bcb7045883cf93f8a4dcf16f289ec82e2c68a4b23d29868770278c93b7
-
Size
416KB
-
Sample
220520-3r6c9shdf6
-
MD5
a8d4efd3ec17d9f1ac7d3eb4eafe4293
-
SHA1
b6428593817b92bf1cd0dae9785b0da1a68e4b43
-
SHA256
d167d1bcb7045883cf93f8a4dcf16f289ec82e2c68a4b23d29868770278c93b7
-
SHA512
24ba8b314f96b2fc759859d82aab23ff93a72983a88fab61b29ebef4ee1f050a324b576302a297e8a1cbe657555e5066f989ffa63ee44a5c44c46f9818276593
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
shipping documents.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.varda.com.tr - Port:
587 - Username:
[email protected] - Password:
varda9997929
Targets
-
-
Target
shipping documents.exe
-
Size
759KB
-
MD5
9fb2846dca4accdd1c4fcaf212e1c6f6
-
SHA1
b49cfbe4a19d7ab3ee7d1a33425ccc822bba3d2e
-
SHA256
d0b71fdf377abca1c191fedeab8311dac158632edb66f3b894166686d61bfad6
-
SHA512
9ae52ef0f49c06e650c2ede614b6ff5f3a2b6de5cc18b892c5cf72bd583a4919f160ad4c30cac8a126fdaf1e3066a7a674e471138dc70213268f597227e81616
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-