General
-
Target
580bb55f65794a7c10c80501d6f4e3f00749218fdfcbd193371a70cbab2505b8
-
Size
413KB
-
Sample
220521-b12mwscgh6
-
MD5
da49063f027ce527ce37b964de634ce8
-
SHA1
0eb8c16b94f38b00d114137584a68811197be051
-
SHA256
580bb55f65794a7c10c80501d6f4e3f00749218fdfcbd193371a70cbab2505b8
-
SHA512
7aef3bf4893626889e2233d040a9078e7d7628405e73a1771eeedf3a27fb4cc3b8b4372724de326f8d63c7f1040614f1f5ed6111d27c3da63b8bd02dd46c9083
Static task
static1
Behavioral task
behavioral1
Sample
Gasket-11 may 2020-PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Gasket-11 may 2020-PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mederfashion.com - Port:
587 - Username:
amir@mederfashion.com - Password:
Success4sure2day10@
Targets
-
-
Target
Gasket-11 may 2020-PDF.exe
-
Size
501KB
-
MD5
0785b3bb1c10ac471dd60d054b755687
-
SHA1
5e394bb37954d98a73a1b8e6b08bf7a424459e89
-
SHA256
d8dd0f2a3379826e0b9ca6ce11f4fdd873c5918ff0cb4aa19e26c561154449a3
-
SHA512
38b5bead4df80d4a9a6f81c9d35e9c2df8b8d73b37b247e503c6dbfef185da24a22630875bb5fda51092ce53803bbc9a5ee7641be47d40eb9539e5c8f7eb4042
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-