General
-
Target
6e02cd1d1a26e955b3d66d447bb84dca232b547098502c69d896b38c71614c85
-
Size
466KB
-
Sample
220521-dap8aafcf2
-
MD5
7387105ae5ccf0cba4a8abcbd467ea9c
-
SHA1
1fd5c0baa38f78a26f2960503177287425d331c6
-
SHA256
6e02cd1d1a26e955b3d66d447bb84dca232b547098502c69d896b38c71614c85
-
SHA512
01ca8a8aa8edb75f1e5f826877493275798da5a0baf9cb889a61021ba4f58f2874e2f113f3c45dcce2c49a98b0b27a91200454c51471a5b72baa161263fb66d2
Static task
static1
Behavioral task
behavioral1
Sample
GlobalOrder_T0028342005500.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
GlobalOrder_T0028342005500.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sesan.com.vn - Port:
587 - Username:
[email protected] - Password:
123456
Extracted
Protocol: smtp- Host:
mail.sesan.com.vn - Port:
587 - Username:
[email protected] - Password:
123456
Targets
-
-
Target
GlobalOrder_T0028342005500.exe
-
Size
500KB
-
MD5
444061aa3f4503ed0e8f1ab80cc6ec92
-
SHA1
3e7d516589952ccdbd265e434aa54a6025430628
-
SHA256
d60f774507ea86cf6fb6caec5bb930bc86ad5a38c9d9f72d568230580f02c92a
-
SHA512
5e1cae6bd190022cf2698064fd896299f86616976f96b93647423831bb6c8b3aa56e923c91d93d185a2169d350a0b87bb4de333b9959a9632a74d633d0ec47c4
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-