General
-
Target
e56a94bb7952f514df90db07d5b5c7138e13548f31e6fd4101a02a15988f3926
-
Size
401KB
-
Sample
220521-cdpv9aggbj
-
MD5
9c6e862f7f0c2aa057d0d7d15485aac6
-
SHA1
5474fe73dbfdc255eabbc6b4b9eba1188a3f18de
-
SHA256
e56a94bb7952f514df90db07d5b5c7138e13548f31e6fd4101a02a15988f3926
-
SHA512
f1e8d26eb96884f040ec588a9e344ded98cc0e6e52664305ef06041c077b8ea0f6065c7acb5cffb957442a5f043833cc65033d3db68e0d24fafce72f62525aef
Static task
static1
Behavioral task
behavioral1
Sample
Original Shipping Documents_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Original Shipping Documents_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.anding-tw.com - Port:
587 - Username:
issac@anding-tw.com - Password:
zra1@!G8gQ+i
Targets
-
-
Target
Original Shipping Documents_pdf.exe
-
Size
462KB
-
MD5
65e731dd7383f50ebb24ba8b68b60fd3
-
SHA1
4f5908e161d78753530e0e39e7a1fbfd35a1f62b
-
SHA256
3da52257d2bf11ec3b3616e8a3c5891d2c2fcf1c2195f8b3f083175da57d2eb2
-
SHA512
1f49ca33289f518fe9714c2ff3b4c6cae804c4f391107a89f4a691cb1e9ee64ba2dc3bda790a2b15a94b09f7575b7e0168cbe89ed586f33dc6815767e690d227
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-