General
-
Target
e67a2c75ea4dac4076983e7fe5f6ec20648433af3bdd479241a0fe204f59fb6a
-
Size
394KB
-
Sample
220521-cddszsdff5
-
MD5
2590c79fa2cd5e3a34c4ede84962a28f
-
SHA1
ae4a8f35afdb8c9921c0d51a3779a5acb6261cd3
-
SHA256
e67a2c75ea4dac4076983e7fe5f6ec20648433af3bdd479241a0fe204f59fb6a
-
SHA512
99c591de58f02e1acda90d1ac1f6d81b10cf8eddd330686ba9fda642c7849bcc632719c4998cf73d0a8e2473c663ec4e503cdb4534d7a88dce190817922053af
Static task
static1
Behavioral task
behavioral1
Sample
PO No SCI6533155 SZ Quote ID SZ-761100-44.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO No SCI6533155 SZ Quote ID SZ-761100-44.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
pegan@cerasantrading.store - Password:
Cotton2019*
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
pegan@cerasantrading.store - Password:
Cotton2019*
Targets
-
-
Target
PO No SCI6533155 SZ Quote ID SZ-761100-44.exe
-
Size
432KB
-
MD5
c6459d07f19b52a02f114686de9d768b
-
SHA1
4dd940b26624c8f9fb113c9e4027f47e53fcfa99
-
SHA256
cb7d8b2d1f4a601cb1049096cddaa18bac0efb2b956f9e1b98276be2618fcaf5
-
SHA512
56cccb5f5f705be0de9b177d55c914931d2cd057f3ba59f5d8f2e7cbd3f63ff4e078c43970ef5bdffe1443dcd624bbe83d397dcf5ec56b8f643dda361cce6a96
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-