General
-
Target
a073ccae277c0c119f279b338f6a84885bb6a65a1542c541eb0f72d89fdffc5f
-
Size
434KB
-
Sample
220521-bqwnwsccf5
-
MD5
45f90952aa556a2b82f76b6b7b3acecd
-
SHA1
cc3472af5bc74eb34943d650c2b547d75b0ca93a
-
SHA256
a073ccae277c0c119f279b338f6a84885bb6a65a1542c541eb0f72d89fdffc5f
-
SHA512
5428bfa4e88092a42b89bea0ea9ca7ac68cf8ba328557923c498af84f43541d3659dc95d1e335857ac71c53f3c8f516dc5b80a45ceb87497c7a32ea998209ce5
Static task
static1
Behavioral task
behavioral1
Sample
20200522.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
20200522.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mail15.cp247.net - Port:
587 - Username:
[email protected] - Password:
Mm8182
Targets
-
-
Target
20200522.exe
-
Size
609KB
-
MD5
0b2e69a9195cd4f0aa610bcf0157e036
-
SHA1
c5d464f8f45234c967ad190f245391fca50addb2
-
SHA256
9c1aaf3c45fa0ef5dedb8d4c4eb369351813576318f866f6c0985ba072dd3494
-
SHA512
af52dba0f00232d5f348fdde3f3d4ce7aa264fb08d001fc3607327a452247df84fa6c2fb0c4b6a04fe791e1517d97d5f7a8d5d3ee7b50c996c2aa707744c6a1b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Looks for VirtualBox Guest Additions in registry
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-