General
-
Target
a6f7fd4e15e0d9a51fe8144d61fad65d652610d33fec046bfde22a984aeb4b3d
-
Size
406KB
-
Sample
220521-bqklmacce2
-
MD5
8700f13f329c93eaf7482304af41c80a
-
SHA1
6721cd169cdd12fdd25081a1c3881d56a1928c94
-
SHA256
a6f7fd4e15e0d9a51fe8144d61fad65d652610d33fec046bfde22a984aeb4b3d
-
SHA512
174c80ea3808be25a059c461a07439419066c14e8f74b6765ba834be6818960acfbbae6728c7e16f10385fb4af881b72cb170ee12250aa1a66b2e737d3e75e13
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT DETAILS.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PAYMENT DETAILS.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmakertravel.com - Port:
587 - Username:
[email protected] - Password:
admin2000
Extracted
Protocol: smtp- Host:
mail.starmakertravel.com - Port:
587 - Username:
[email protected] - Password:
admin2000
Targets
-
-
Target
PAYMENT DETAILS.exe
-
Size
493KB
-
MD5
3a9a227176fb62ce49babf580bb65d3a
-
SHA1
bab607332c3e627c5625daefff43a30bc911a11e
-
SHA256
b1d739f172585d015a122fa13d80e292e82a0e6933b40586b8c52f09414d4691
-
SHA512
c75101c47ed62530b94b02db01ca5eece4698217d7e6ae50a640272cf9286980a2146e62aa16d335496d4e92048fdae7b01f5bc9957afcb000064c183a02065f
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-