General
-
Target
0aab0231c75193c9e832c5cd000dea83298e2bc3aed79d765152440064f8f5cc
-
Size
485KB
-
Sample
220521-d3csnabgbk
-
MD5
e85ff90e403f6eeef71a75074ca5feb9
-
SHA1
0c898f4cf67b3a3e0325b5732b018e219180a770
-
SHA256
0aab0231c75193c9e832c5cd000dea83298e2bc3aed79d765152440064f8f5cc
-
SHA512
a20f692bafd7c05e50cc1ee62b909e260438bced92c4fe96e35375f731b3de51f88775e67b37423aff2f441ba77188e9d0b75362a8698a851b2ca1960e09c9ec
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pro-powersourcing.com - Port:
587 - Username:
vivi@pro-powersourcing.com - Password:
china1977
Targets
-
-
Target
SOA.exe
-
Size
539KB
-
MD5
36914235489a2a8d85d5b74e72240324
-
SHA1
cd625adecfa3ef160f57eee2069e7775744f730c
-
SHA256
b40edfb78610a92314bc7d79c6c64aee89064821da0187475855ecc87c0148ed
-
SHA512
fca474672dad94f3d8a8741394eac7a413f2ddcfe9cb299a54b9f870daaa07fc9785cde12c0e68eb71025fe0090c24e6184207f3a021e89152b52b7b0f8e5c08
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-