General
-
Target
cd995254d59965755cb01e59fd244abcf2df29c0979de0e31789879fc2a495e8
-
Size
488KB
-
Sample
220521-ckapxaead9
-
MD5
f8e9270d027d199ca0bb42fd839bdc30
-
SHA1
6c6708238f02a5d57f28a618a97beb40935b99e0
-
SHA256
cd995254d59965755cb01e59fd244abcf2df29c0979de0e31789879fc2a495e8
-
SHA512
6d56c83e469d5f1b62cafdfe10bf98f77ab171cdce8fd534c895e3dffd29c4ef039c4ddbb1d077f71fe39d7ca1f0bb947939c7018d9c3810317a93cec6590283
Static task
static1
Behavioral task
behavioral1
Sample
Letter.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Letter.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.gayaceramic.com - Port:
587 - Username:
[email protected] - Password:
2019gaya
Extracted
Protocol: smtp- Host:
mail.gayaceramic.com - Port:
587 - Username:
[email protected] - Password:
2019gaya
Targets
-
-
Target
Letter.exe
-
Size
581KB
-
MD5
6b1a709c8884accc0ba410ef9413a04c
-
SHA1
bb80dad1518cd8d7bb912b74bcf01c927b45394a
-
SHA256
439ed702b9700b4bd7ec8877db8d90820176cd183cb888c8be9b14267d3581cc
-
SHA512
309ef31c93845a36060bd4b69a3d7cfc79bebb518530371846165a49c7dc74069777c09067d3406ee2cb3de94494c8ff31b8ffdeb54f0cd4c6088b6cd6fc16c7
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-