General
-
Target
b023dc5c80743dd83a5887e66274553f15d9c787a0186a949b8e3c75595a0d5f
-
Size
806KB
-
Sample
220521-cr5hvsedd5
-
MD5
ebe9d567fc7e1d0e801a6fb88bc0f2b6
-
SHA1
110827b7dc07992c97bcbbe2e006fa4e667b24aa
-
SHA256
b023dc5c80743dd83a5887e66274553f15d9c787a0186a949b8e3c75595a0d5f
-
SHA512
d9f9035c480d75aa26ec633694f44cf39ce4939a990d021434969624279c30c043f6a28703403536a75de8e01e92a7dc418ed819a5d3ffe6a5377da651ee0ee1
Static task
static1
Behavioral task
behavioral1
Sample
IMG-43555_UTR 34444_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
IMG-43555_UTR 34444_PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
[email protected] - Password:
Urban@1143
Extracted
Protocol: smtp- Host:
smtp.urban.co.th - Port:
587 - Username:
[email protected] - Password:
Urban@1143
Targets
-
-
Target
IMG-43555_UTR 34444_PDF.exe
-
Size
940KB
-
MD5
80a3e56f0e754b838dc4a2c49b44b7ac
-
SHA1
181d352a869f14512dcfcd475109ca0c628e1ade
-
SHA256
8846c5d088724ae06915e0e0f987ca3a65fba368095bc73f3109f6cb7841318b
-
SHA512
17256ee48f88550f4bcabba39c9fe0a1a8ad015be8036ac427948505221af74ef390672247bc8e8ea3105a645760832ef0608a588f74a4e609369935b054f038
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-