General
-
Target
f0dff210f8c759c52bea75aaae8b8c2b3c830f65b354ddfb12537133bdb32adc
-
Size
1.2MB
-
Sample
220521-ca2qmsdee2
-
MD5
48dc0b86a040ca7beeaeb7b25376bb5c
-
SHA1
77ea9339f3265de30341cc489d9990f15720fd51
-
SHA256
f0dff210f8c759c52bea75aaae8b8c2b3c830f65b354ddfb12537133bdb32adc
-
SHA512
d254592956b62fcf494f7b077d7c0c70684f400897dfde8c71abece5b6897494a33479638be15391e157c4f602f2ebe100da6f96a7e0684909309bce0bc1155c
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT_.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PAYMENT_.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
prudential.com.np - Port:
587 - Username:
[email protected] - Password:
ensure@prudential
Extracted
Protocol: smtp- Host:
prudential.com.np - Port:
587 - Username:
[email protected] - Password:
ensure@prudential
Targets
-
-
Target
PAYMENT_.EXE
-
Size
391KB
-
MD5
dac2e135d82d0a829efa9d9d7e470e20
-
SHA1
f154744a4598842ace3aa3258ce8516530b38923
-
SHA256
22fd870db6109516f3696a5a25e7aa26a00fb233ee537de7403818514d2671fa
-
SHA512
e3f5db449482bdbc596289b40db0b79f7e625f102700ab146ad9452be5854e9efc3cf10ca57ccdb55e5697294d5126f29d6e95ea4bf70a55e0ffed36ac8071d6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-