General
-
Target
1cc4d9fc5b5eb3550d60c5bc793ce8691c43024cdea5eedbbe321174a7ed60e8
-
Size
480KB
-
Sample
220521-bb5m9aegal
-
MD5
ec6365d632fdea9d6c638680c474e4f6
-
SHA1
a2943a88ec349abbfa111e0301e0e89b526885ea
-
SHA256
1cc4d9fc5b5eb3550d60c5bc793ce8691c43024cdea5eedbbe321174a7ed60e8
-
SHA512
db96f89f52a548eb904709742d25097506ae7f21e08f72aa0720432615c4115e237cf9dbf8a9dcb61f0044eb8c651a5ae87285f3a649ad9ce05a01f8b2e34d69
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
invoice.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tiig-eg.com - Port:
587 - Username:
[email protected] - Password:
servicelorch
Targets
-
-
Target
invoice.exe
-
Size
661KB
-
MD5
62d71e64446c5a38e393a1fe2b57fd40
-
SHA1
29c4057c9fa750363eb70e3d92ea31f4498beeca
-
SHA256
9748273b3c0d1351dd509be12aa2f6787e385beea419de9adfd9be8f999bfa0c
-
SHA512
bc2700cb6b1e21facfadb60f90d45897bcfac4f1ebc4b2c691f275db16908adc7539dd0d7729d59a3317bd8b2e679e4c11bffe4c3633c9c695369eea3cdab079
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-