General
-
Target
b2083ce7d4550ceaccac4b45679bfa5a9c8168adee4d7c79b7a6b566e597ddf9
-
Size
391KB
-
Sample
220521-bp2thsccb6
-
MD5
dc421ca0185a51734748e38112923441
-
SHA1
8a9436ae875d14d7d5dd53390e9132e92e0104ec
-
SHA256
b2083ce7d4550ceaccac4b45679bfa5a9c8168adee4d7c79b7a6b566e597ddf9
-
SHA512
bf02bfe6aa43e208e8fd2fddd2af82191d223af532a7bd383bc9ff616442703eaa64dab9b405f27e3f91ff2ca302431b6a0e946c967201fcc7c8accc082a5e4d
Static task
static1
Behavioral task
behavioral1
Sample
SOA APRIL.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SOA APRIL.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tolipgoldenplaza.com - Port:
587 - Username:
[email protected] - Password:
Golden@#$2019
Extracted
Protocol: smtp- Host:
mail.tolipgoldenplaza.com - Port:
587 - Username:
[email protected] - Password:
Golden@#$2019
Targets
-
-
Target
SOA APRIL.exe
-
Size
443KB
-
MD5
b4918de9ccfdf564a629cea7e3b82195
-
SHA1
aab1d0e71ce72baffc39ce5f9fd3fc5aad0ec8d9
-
SHA256
c57c75b73874a793db4640a20bf8f89c57d8b95c9165a721e3a71f5693127c49
-
SHA512
f50ebdab2e8c5c2598ef52eae7a2c0d9f53900f0c26cf17cfd441051390d083a0881d1eb80eb713ef8d2e96633478d654219c07fd5178881919bf78801ed3d41
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-