General
-
Target
33792e3c0afb98dad79d6702efa5a1e35831b562b27ad538d76ae6344f19e0a7
-
Size
1.2MB
-
Sample
220521-bwvnsaffcl
-
MD5
5b596c63aae65fed46fc820a5d772d72
-
SHA1
d1bfd6a92d93a3043af63f9660d9112149f1f8ff
-
SHA256
33792e3c0afb98dad79d6702efa5a1e35831b562b27ad538d76ae6344f19e0a7
-
SHA512
e23fe8fea2e74f15b17a877764bed466af9a528c90e89fc4e2c1f116c834473dc017f2f0e46ebbf3c13e847210a4dd49926f230609ddfde6df164d714cb74c67
Static task
static1
Behavioral task
behavioral1
Sample
BANK_ACC.exe
Resource
win7-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.haden-tours.com - Port:
587 - Username:
[email protected] - Password:
In-159753
Targets
-
-
Target
BANK_ACC.EXE
-
Size
472KB
-
MD5
7c900acb04fc360427fa4c15292a7efe
-
SHA1
ca0468c0aa0883532a8f7a4853620653978a8e58
-
SHA256
42fcf6a2253cd374d0b8173e7e5278b00780bb0ddff8a3169254f2bff424f916
-
SHA512
949fa27ad01cbc24add00579ed5022f33fa62070bc95baff5af206532406d459ae65b92f207e6961cfd3046159eb14764958f8a432efac454197a075d50d530a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-