General
-
Target
34323ddb331fe234555a9e937aa37b956c92e5f78702de33de20ab5b72753c6c
-
Size
392KB
-
Sample
220521-bwt29aceh6
-
MD5
bf872266786dde074273b051162f84ff
-
SHA1
af9f3d0c77911c71e92912298d56a0d6f8439318
-
SHA256
34323ddb331fe234555a9e937aa37b956c92e5f78702de33de20ab5b72753c6c
-
SHA512
851235f25d39520d92ce595a802569a6e0e3d7f4d25ecd31984916dc57c54ebaf9f51dfc77568325030a2e8feed94881fb7f255d4589788fb9947aca24693794
Static task
static1
Behavioral task
behavioral1
Sample
k5jT8OXjl89E0ZP.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
k5jT8OXjl89E0ZP.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.forapro-ru.com - Port:
587 - Username:
[email protected] - Password:
FLYY)RH0
Targets
-
-
Target
k5jT8OXjl89E0ZP.exe
-
Size
443KB
-
MD5
1154a1e546242fce05b19e57f4d51b70
-
SHA1
66474ee898e14250c3ffeab9335420b3bcf649b8
-
SHA256
77a9652b29e432e9a9bdf2698fc841b88153739300f329d39fc8ada898390539
-
SHA512
356d8f4bdc60e1d571726d59c0435219e4325f1673cf30f36a4d12a540595a5b88f8460c592f0cd1f8c9d1d86335101679e3db4ee1f4338b734c59c03c58792a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-