General
-
Target
7a84ade5bcef198d32f876ff301affb17f25b9718d5471639d3285226ae1a23e
-
Size
402KB
-
Sample
220521-ak2ghsdcfq
-
MD5
219afd411f645db61020a790dc26c41c
-
SHA1
6d944b9eb5a7451155a620f92b2932c2c9d6414e
-
SHA256
7a84ade5bcef198d32f876ff301affb17f25b9718d5471639d3285226ae1a23e
-
SHA512
23d95ca275c093b57292828946de3ce4ea3f4208f2aabed4c2047f9cf5eaef4e9a8ceb724f6a19f09728ed49ee61830e985e97f20da0458e8b99e40ed8283fc8
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
new order.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.yitaipackaging.com - Port:
587 - Username:
[email protected] - Password:
22799213
Extracted
Protocol: smtp- Host:
mail.yitaipackaging.com - Port:
587 - Username:
[email protected] - Password:
22799213
Targets
-
-
Target
new order.exe
-
Size
444KB
-
MD5
9d9881934e837298eef34f31bd4fdac6
-
SHA1
1d8e4add2babcd745934a6924efc52a73edf74ee
-
SHA256
1e41a4bc1146c02cf7e2e5f2a040ad3835f4852b675bfef98eeaed0c16d8bee3
-
SHA512
d9e512b4b0765bc050218bed8efcc1c2d07313b3204d1a255cd96b5bf237666ad4f44d7cc41e3cb38b09f35e31cb420391567c27272f4c905d6a25b0785a5c78
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-