General
-
Target
c0a04518fc7a861d4fbb81430b82bd5e17394dfeeddff414e3f7d1966d457155
-
Size
685KB
-
Sample
220520-3v64zahfa6
-
MD5
61bafb047ba7c7d748a8eca5cdb43caf
-
SHA1
5cf8923a6c87b5668b13459903573583b409bde1
-
SHA256
c0a04518fc7a861d4fbb81430b82bd5e17394dfeeddff414e3f7d1966d457155
-
SHA512
70febcbc74dda35f09062deb32179f5cbb0b28dce26f180b89fc99f2424fdad2aa502315164f2c0e4e933cf8dd9c4a1479886ffd6d8043eebeddcc5527cd0a02
Static task
static1
Behavioral task
behavioral1
Sample
commission invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
commission invoice.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.greensudrhotel.com - Port:
587 - Username:
[email protected] - Password:
Greensudr2017
Targets
-
-
Target
commission invoice.exe
-
Size
879KB
-
MD5
e770121ccf7b3cddde5d6548cb9efdfe
-
SHA1
6b4fd83d704d5d597bb6e03cdc44c42839519e89
-
SHA256
f7e7f9c0172ba900708b35378e311e9a29168621ed968082f3f980f81de19c54
-
SHA512
4db81351423107334c31a91bbd2707022df9f6bc5dfb262d471222f6c678d5d1a8b90abb8705af5acee80e53b59251c4d18389f06b69d881b01a39fb6376a30b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-