General
-
Target
7897e911d239da273fe44e59a835380795e52ce59e96bda1740c3ae7d63aae9c
-
Size
417KB
-
Sample
220521-all38adchn
-
MD5
30c298f2c2a4b19e29544fc435be5c70
-
SHA1
56457d9a1572eab1cc38074fd107db8b1ca0578f
-
SHA256
7897e911d239da273fe44e59a835380795e52ce59e96bda1740c3ae7d63aae9c
-
SHA512
52ae2dececa92ad34329d4d32a4a0b29785ea581e01b380076131a702ed5ac6cfc02822d195dbf296098d6769cb45920f212d20502d8b6e9a5cd5571b341d16a
Static task
static1
Behavioral task
behavioral1
Sample
yUJ6pfrBT92ChKS.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
yUJ6pfrBT92ChKS.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.rajalakshmi.co.in - Port:
587 - Username:
[email protected] - Password:
009_DESign1*
Extracted
Protocol: smtp- Host:
mail.rajalakshmi.co.in - Port:
587 - Username:
[email protected] - Password:
009_DESign1*
Targets
-
-
Target
yUJ6pfrBT92ChKS.exe
-
Size
529KB
-
MD5
8c32f596fbd2f52b34d1c891a0559493
-
SHA1
67b0750eef95d840137b274a0c486c7cb63a0601
-
SHA256
25387e5ca0782bee6e0d9aa279453187cbee9d86bfa0fca6246725ff20f45f92
-
SHA512
9b627e1377bb4ef33de88ab2ab62de22222f53e625793cdff218526afe78e105b140fc997de06639a26b85fc57852a0d3fcd7481ae4d838a42cc5b1dbb7625c0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-