General
-
Target
ec6a3f5f18f8043573bb5f88f3c6409755c03ed9cff4605b27adf8143c92dd76
-
Size
455KB
-
Sample
220521-cb4avsgfej
-
MD5
1117428353370a26069953f0cfe912d3
-
SHA1
8f384df90738712d66a20033ff4b4a8baf609d09
-
SHA256
ec6a3f5f18f8043573bb5f88f3c6409755c03ed9cff4605b27adf8143c92dd76
-
SHA512
b5328101f186aeafc120b368ec26dea4bf90d08308284f25b9d57714c6cfe6a31f99487f6f2132a040565dcef4db0959499718f0fdbe1737d9688084eb250b71
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Payment Slip.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
homeboy12345
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
homeboy12345
Targets
-
-
Target
Payment Slip.exe
-
Size
560KB
-
MD5
d436adeaeda394dd9aae8361cb0b16f3
-
SHA1
49bcf22be48d8064ee369544873ba0546a48fcb1
-
SHA256
6426bb813f2c02db79c20887cdbb42bbb8a3c0f12b34369fe24150408eaf8f8b
-
SHA512
859d3795952f0e5a9fffb9ccecab1d30c4fac023b85a27d3cfca56b35a3627f56c96a2b99f4abdcc5226f2ab22da2a1f164cddd6bc6d21cd45a16282529bedb5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
4Disabling Security Tools
2Virtualization/Sandbox Evasion
2