General
-
Target
c93b2e5437769a30e512a711ca27632b529736967d1c07b5b497eb9944f70374
-
Size
390KB
-
Sample
220521-ck634shahk
-
MD5
ba1dcc0f74dfef6cf5661a21169ab63b
-
SHA1
e7df8c5cef47ee32ff495e320dc2d11802cb9301
-
SHA256
c93b2e5437769a30e512a711ca27632b529736967d1c07b5b497eb9944f70374
-
SHA512
25946590742712ed1c53a56005d739d3f791e10dfa069734966fe5a5570b45ed5d9e4762b85353451b3c1eb13181abc8936e0de19e43a393c984ca9272d97c2b
Static task
static1
Behavioral task
behavioral1
Sample
NYRNC200420511_FreightArrival.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NYRNC200420511_FreightArrival.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.karmachalets.co.in - Port:
587 - Username:
[email protected] - Password:
Akshya@123
Targets
-
-
Target
NYRNC200420511_FreightArrival.exe
-
Size
446KB
-
MD5
4e94b9a3025122a9949b79b37eeb3cff
-
SHA1
a298bbb92765a40d6229da48b5c6c0edbc70f510
-
SHA256
cb2792644a81d965b332d8d165e1e6f75894b43942a33d7e367f9b3a36d4a2bf
-
SHA512
8551ea40aa3ee4dfc119b4560bee1c6a501be24b53f209e6b1672902b37a063cdd859822ba5793383ef679364fadc672b03c5752915f5404c75be74bef6678f3
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-