General
-
Target
8aa2115c37d26f08727c93059a9c7b16f442185a3370405b435deb9be8dbcf28
-
Size
400KB
-
Sample
220521-brszdsfddl
-
MD5
d102c47079981272eaa11c9e9c7438b8
-
SHA1
7729bdeeda8d124e37327222b89cb6622b7dce23
-
SHA256
8aa2115c37d26f08727c93059a9c7b16f442185a3370405b435deb9be8dbcf28
-
SHA512
417df46fea3d979df498df99333f08a8181cff7696b0f72f6fcee634c07ce7b721e2d132dbef0ab6a8f60662d5c09d3b20453843fb5b829fef73bc2cd18660c9
Static task
static1
Behavioral task
behavioral1
Sample
IMG 24344 NEW ORDER_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
IMG 24344 NEW ORDER_PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.candenizcilik.com - Port:
587 - Username:
[email protected] - Password:
519025
Targets
-
-
Target
IMG 24344 NEW ORDER_PDF.exe
-
Size
423KB
-
MD5
28fe82a91916a43d7912560322d5042a
-
SHA1
3f203b3f888487fe4afc0f99fd51906788e70449
-
SHA256
fcf065630d1e02025c3ffe61405ccf6df1f2bf2ecc375a5122a1fc4ad4a4368e
-
SHA512
72953b2d5fdd774d2336267d27b068ec6fd522f4ba45b07007b1ce10d69f3a3685a58edce208aecd4b3c436457aa3866e7a9dabafdee6455eed1f09a37e34504
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-