General
-
Target
e0086eee7d1ee35ecf7421113b9b13922ff6d040f2eca5130ac6e7f4c2b27b3d
-
Size
332KB
-
Sample
220521-ce1n5sdgd8
-
MD5
063166ae6b08a9c991210f59103aab3b
-
SHA1
665d2ae13e1c4c51a98cda62b3d736da564d7c12
-
SHA256
e0086eee7d1ee35ecf7421113b9b13922ff6d040f2eca5130ac6e7f4c2b27b3d
-
SHA512
b99ae9414b3462e4a71f1a57d2d53c21b4e0890ec23a20e524842934a4be1f3efd3e8ab16432b97d4a2dc41a7058e4150f74c05b5c8c5a920c840b20bda7cbda
Static task
static1
Behavioral task
behavioral1
Sample
citat.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
citat.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
SENEGAL12345
Targets
-
-
Target
citat.exe
-
Size
424KB
-
MD5
e9567d62f6cbad2e5c23cc82f5f62377
-
SHA1
68803124332bf57b6f6a7cc9fad33d6feee8a48a
-
SHA256
fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277
-
SHA512
2a87593eac99c22e35459ab6651d022b7530a60bca5ea130a3bf4faf3c60b306b8a64b469da6e137c45a5dd2d9dad6d0787c5caa59ebcc6d279aa15caec70139
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-