General
-
Target
2f64d8f877ff01d8d60aa6b8b9b7a363b368f66d8a035af2189108fb2d7176ab
-
Size
430KB
-
Sample
220521-bw2gbscfa6
-
MD5
350c470b7a1842e4c74d98e8f55184b4
-
SHA1
949c7710cf7fc6c201d0a906db4edfee4a322ab8
-
SHA256
2f64d8f877ff01d8d60aa6b8b9b7a363b368f66d8a035af2189108fb2d7176ab
-
SHA512
a06d6794ccbf83b45172ae17a2c8ac513fdd75689eba61612c746651df856547ecf39fde6c3910bcc0273c6606bd8627d0ce385500c8efc2473739953206fdbd
Static task
static1
Behavioral task
behavioral1
Sample
?gnp.LB025072OP.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
?gnp.LB025072OP.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.winhalltech.com - Port:
587 - Username:
[email protected] - Password:
Hafizzul*010218
Targets
-
-
Target
?gnp.LB025072OP.exe
-
Size
531KB
-
MD5
e5378bc95a287b6aa4e858d850a49e05
-
SHA1
4649a2f12d7cf68268591d9c4a6aa7e47d8d465f
-
SHA256
4809230caa014763badc67dc546c2facfe4ad68787275c02e87329a28e66fcf8
-
SHA512
ae61c4925b39dbeece4c37dca544d1ca85daab0c677f4877948fb6eb7e9384ce5315ffd407518d61aa52ad8dfd363e186f5791f6a84818b6b87631b40baeb943
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-