General
-
Target
51b5b0a97829aad9caf7fe1dc267dc8f5119029c1dc394a3c96337ee370e34c6
-
Size
382KB
-
Sample
220521-dhyjmafgb4
-
MD5
a69b5a96be972a24395a420642681d05
-
SHA1
f98eb7637d58a86b531c4e505400f32b5ded3980
-
SHA256
51b5b0a97829aad9caf7fe1dc267dc8f5119029c1dc394a3c96337ee370e34c6
-
SHA512
ed7607b76b1988f5affa624d55a2e0b62e6faa7b5980dff4ba8d2cd897f31064f92e4fb4f0bf53d8783d22455c8d462aab3d7a78bbdf485455276d7cdc63418b
Static task
static1
Behavioral task
behavioral1
Sample
A7CT89pG6e5swNF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
A7CT89pG6e5swNF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.healthplusuae.com - Port:
587 - Username:
[email protected] - Password:
basheer7648903
Extracted
Protocol: smtp- Host:
mail.healthplusuae.com - Port:
587 - Username:
[email protected] - Password:
basheer7648903
Targets
-
-
Target
A7CT89pG6e5swNF.exe
-
Size
415KB
-
MD5
16519b78e0a1e678716dbbfd2283d946
-
SHA1
4a0dd4993dd92e8690ac08109738212dd6b7d677
-
SHA256
fd443146a204defbec7fec9e24c97cd70e2eba3d8bac15a1f792b32d5cd456e9
-
SHA512
35d62bdcc662475e448ddfd77491bad2773b110a1b7eff1fe991ba13fe8b211bb9b0ad6feef9b6d70e43e38fd7598f7a606fcbf7e30d71f3fbc4cf79e635929c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-