General
-
Target
27c1110123a884666fc61fd77e3ed754676a0f20b03a6aa8895066765a40989e
-
Size
508KB
-
Sample
220521-dtzk3agch3
-
MD5
6c80600231adb28b5d08b0494645c70a
-
SHA1
b35338fd17b047f9f034c9ab2af23a49403439e3
-
SHA256
27c1110123a884666fc61fd77e3ed754676a0f20b03a6aa8895066765a40989e
-
SHA512
09fca7bdd38e0f37e2932bbee9369344bb9a8cb2ad6306830e1def194b691a4956e4571c72154d963f2f1e29083fec23bf3d3a1cdaf0477401db4025b3dad617
Static task
static1
Behavioral task
behavioral1
Sample
purchase order HB-20-06099.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
purchase order HB-20-06099.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.suncurepelletmill.com - Port:
587 - Username:
[email protected] - Password:
pellet2013
Extracted
Protocol: smtp- Host:
mail.suncurepelletmill.com - Port:
587 - Username:
[email protected] - Password:
pellet2013
Targets
-
-
Target
purchase order HB-20-06099.exe
-
Size
446KB
-
MD5
2a4f2669b73ffc3bcb1f382774f57c37
-
SHA1
a5f0968074fae2fa93e10684fc03ec817198639f
-
SHA256
d2dbb94dedc36a45bd0f528aefae333861935729369b2136b85daa3ff77e4e0a
-
SHA512
ed1f55a2833460c9fd63d7305661bdab8c362579b630d7d2c05b2585ebf79a69f424b367f115721a3ae59491eef72a2bdd8d600656837921041696a022d35474
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-