General
-
Target
660ea1ce5d2631259675f593f6070ad6cc201551de448254d5bcde3e19d7c7bb
-
Size
449KB
-
Sample
220521-dcx1xaaeep
-
MD5
9bb3be3620476f403c6561e3ece15b89
-
SHA1
6f48c52064870a1328954837a08afc1961d1792b
-
SHA256
660ea1ce5d2631259675f593f6070ad6cc201551de448254d5bcde3e19d7c7bb
-
SHA512
984980bb336bddbfbe5aea2dd4a21007fc3ccef1da6fab195744d0830f2cb81634a0f4afab2cce206acfe18a44a51e2f6398929a26ef3d079517fe8d55119e07
Static task
static1
Behavioral task
behavioral1
Sample
SOA.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SOA.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pro-powersourcing.com - Port:
587 - Username:
[email protected] - Password:
china1977
Targets
-
-
Target
SOA.exe
-
Size
484KB
-
MD5
43cfa744a47b3858736b6c635fda509b
-
SHA1
0d7f38330a6c27aafa2d0dc2d137b4f972d22cfc
-
SHA256
ef7a6fa5553b2f93bbe0ec60a3f636c6e028876ca02ebed0a26ff9ad23732d65
-
SHA512
e3f117ddc5c57435d5b362dec48619b0d840b10f1c444a99f2dc85c279f3fd9ed2e8459c3622de1c7283878b372a19394128e2efa5562030ff3f52b51bb225e4
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-