General
-
Target
ddea7c2a6f06dbd717eed541230069102f292d85ce66fc39734e3b6c85f84e40
-
Size
410KB
-
Sample
220521-cfhvqagghn
-
MD5
536dee58c0c25eec6f72b33fa8884f8a
-
SHA1
6430f0e85f18d5abbeb4b638dadc2dace5938e53
-
SHA256
ddea7c2a6f06dbd717eed541230069102f292d85ce66fc39734e3b6c85f84e40
-
SHA512
8c93c7cfc8b99843e3e8940203d5539d5543d56ad3aff42e5a939ac5e66b7992010c709fea7a4ee85fb2dc6a395f0dc6c01ebace6a77a38dbb3a6751e82d10be
Static task
static1
Behavioral task
behavioral1
Sample
HANAN CORP_PO.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
HANAN CORP_PO.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.scandinavian-collection.com - Port:
587 - Username:
may@scandinavian-collection.com - Password:
kR6d.DFet#7w
Targets
-
-
Target
HANAN CORP_PO.exe
-
Size
464KB
-
MD5
7944e77f9f530cba11ea3cdcc3e06c12
-
SHA1
0f760a9184ef4c4ee3611820947252931aad8cc2
-
SHA256
96b9a82530649c3f90162fc3fa6604814dfcd6e0517658264b04497b07c84c6e
-
SHA512
6532f3949047db20725c72fbc5217ec65c34767518d3d761bb7432501be389fa43186586b05e51102799206b46ea754188be820e21a578f97cab564734c1393b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-