General
-
Target
a2b8a1e8ffa94d98ae7e7ddbc63662f91020d004362423a78dd1946e1fd708e8
-
Size
570KB
-
Sample
220521-aa8svacgdp
-
MD5
472e65188b50e7fddd1c144783478448
-
SHA1
6668dff78ec0225a1fabf7cd813d241bffa50e17
-
SHA256
a2b8a1e8ffa94d98ae7e7ddbc63662f91020d004362423a78dd1946e1fd708e8
-
SHA512
67f3b67f1436d1945e73288785cecd80a0509ebfe39a8fa536cf3ba06ad17fa724921f95d75635fd63c28a3eda3f4a6d937c6ce2f7a0aebd64af297a3929e3b1
Static task
static1
Behavioral task
behavioral1
Sample
REMITTANCE COPY..exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
REMITTANCE COPY..exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.palcoman.com - Port:
587 - Username:
[email protected] - Password:
GgwWVBJ5
Targets
-
-
Target
REMITTANCE COPY..exe
-
Size
691KB
-
MD5
ecd4d524988a5ad8813312e23a04c7f7
-
SHA1
bb748bb7e34b8ef8a506eaeb77965f2a3fddc88c
-
SHA256
239c9e3df55261a7c4037ac8b5693cecb72c0c5d3f832787baea8ad4f1841209
-
SHA512
b351e9b38e64ad14bf6c49a7fa819bfa4afba13e09825b6697e2ce32900635e0cb6d084a101dd9bde57742f5a5a9b8662d7917f391af9f35cbcb17ef472ccbe1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-