General
-
Target
5f5f6565e2b737b5534cea0f1ea574a732adcd2ac6c1ee675523871c2bcaf461
-
Size
378KB
-
Sample
220521-dedeaafec6
-
MD5
4a97e4566516f4b54b134eea9b70b238
-
SHA1
cf48f1c99b66f4d3747f5c07d7b949eb21ef0c79
-
SHA256
5f5f6565e2b737b5534cea0f1ea574a732adcd2ac6c1ee675523871c2bcaf461
-
SHA512
eeee35647e0a73e3ddb54ba858acec1bb7cb2989d988c4b922ff311d3a327d7092417a0eafbfadeffcc912eafcbf17a86071c884f10f3d37e668348d5111dcf4
Static task
static1
Behavioral task
behavioral1
Sample
DOC-Scan00567_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC-Scan00567_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cosmosgroup.in - Port:
587 - Username:
[email protected] - Password:
santosh_cosmos
Targets
-
-
Target
DOC-Scan00567_pdf.exe
-
Size
412KB
-
MD5
476f0f9309965ce0f31ce6ee146f6ad3
-
SHA1
7cc7994a4b4117616c6a3952257d8dc6ea622917
-
SHA256
15154cbc9862afbec2f10963d73522701380e919fff8250e455553871fba1b7e
-
SHA512
ed8839bb67ef575553206cc847a4b59019d8834562a9bb5d9dccec8958ab20c96f002b077bff87ac5cb640950ab1242ef78b9baf7aef2f8f15c8e6bd1a227938
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-