General
-
Target
91268132770bf3f35245e413287d977702770b051dcb4168fb3cad8c005c39d7
-
Size
480KB
-
Sample
220521-cz6e5ahhbq
-
MD5
dbfbf90135239117abe06ac6931d9baa
-
SHA1
33466edafed94d62c8898610eb300a09322aa929
-
SHA256
91268132770bf3f35245e413287d977702770b051dcb4168fb3cad8c005c39d7
-
SHA512
10079f7235e265dcbbeb7f5ab73b362ad96f6ec70bfb48dbd6dfe38bddd69f5a641e2fceeb97fc6c1b543fb6b893ab2c52907493e34a0bd46b837bc68e4c2a71
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.Ref#78665.Scan.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Quotation.Ref#78665.Scan.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.ametropolis.com - Port:
587 - Username:
[email protected] - Password:
Gera5956
Extracted
Protocol: smtp- Host:
mail.ametropolis.com - Port:
587 - Username:
[email protected] - Password:
Gera5956
Targets
-
-
Target
Quotation.Ref#78665.Scan.exe
-
Size
532KB
-
MD5
fa06a33f88d556513c868f2e7c84243e
-
SHA1
8755eab25945de4d7139104e4565da3a06c6123f
-
SHA256
83497e0090f1d2ee05ec4a24b60def09707801d0cd25f5a76ade33ae943ca4bd
-
SHA512
08aa1c3656745e90b7d3f6ef01435473ff5551f7c7e0cfb4a9afa39f3f4ffc22de9a904aa1bde3898ff15a3add1db3d422ff853656222fc2e0319e99aee8d99f
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-