General
-
Target
d3b8295f6b3580094260cf5a8a26263eb70d8bc844bfd82d7ffee33c1a6da6b5
-
Size
435KB
-
Sample
220521-chs4gadhf7
-
MD5
4207520acfab5d158134a5c4c242467b
-
SHA1
4dab510e7105617b29f1d7e4fe2a1f9172b38757
-
SHA256
d3b8295f6b3580094260cf5a8a26263eb70d8bc844bfd82d7ffee33c1a6da6b5
-
SHA512
d4fd0eb803e3a4ab92dccbe9cade37bc825b95b52e38c6ab773fdb11865e870fc7f4e7c6e2eca9b5c4b75e6a7d51adbd12c204a45636eae77b03a46a3fedaa23
Static task
static1
Behavioral task
behavioral1
Sample
Business Proposal AECCFC Scope #20200511.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Business Proposal AECCFC Scope #20200511.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ilclaw.com.ph - Port:
587 - Username:
[email protected] - Password:
P@ssw0rd
Targets
-
-
Target
Business Proposal AECCFC Scope #20200511.exe
-
Size
680KB
-
MD5
3beb56d44ca6ca36b58b99ccff173d89
-
SHA1
d497bad8ccce793615d22af8fb4f10f0ee830941
-
SHA256
8a8ec6bb5e28a1314eab7ff5c9347bf7ddc567d6cd18f68d26abc364cea0ab8f
-
SHA512
80d26b25643146f2c1f571757301e244ec9a0cd92e59376814bfc490e2b5704edc58cd14489fbe05e4e4e9235de3e14255c2b39bf12d8e87108a0899c314763c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-