General
-
Target
a8e2763fc5d8ea1e327bcfcbdcfb3bb96dcf4c7b1e33f96edda1cfc8a0719f68
-
Size
595KB
-
Sample
220521-ctxk2ahefn
-
MD5
7c6cc4e3cd8f1bfda507d46b6c8cebe6
-
SHA1
4ad3d421e4fa5a78b73e0bac4a081348be9d97c5
-
SHA256
a8e2763fc5d8ea1e327bcfcbdcfb3bb96dcf4c7b1e33f96edda1cfc8a0719f68
-
SHA512
7d41474a70bc43a1540d27a717f9050521f37f2eba2de4af918bf89174416d9dcce69950fd454cb974348158bbf6161594c0da224c08fc8dd1679ce8362a62e7
Static task
static1
Behavioral task
behavioral1
Sample
Sc_21121001111_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Sc_21121001111_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
blessing2020
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
blessing2020
Targets
-
-
Target
Sc_21121001111_pdf.exe
-
Size
646KB
-
MD5
7ccb2afaa6bad0e89349543ba4cd56b7
-
SHA1
03f817631c71445a805e5d6cfd6d227e99607ca4
-
SHA256
013d92479d88b8e1c76b764f9362e1c101481b6c26ac40dacec77b7910ec7344
-
SHA512
4ab77e38298ba13a2b60c80925ea99b880a61a7e24b8d53641b3e4095bd6d7199018ce28deb2400635138e4d074e861e26df45145e7dd33ef86f52b1bbc795c9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-