General
-
Target
a9ba0327f1ea8e71d77af0465dffe3038f7bc33910f908c97eab62b7bfcc404d
-
Size
470KB
-
Sample
220521-n2z7nshfdl
-
MD5
5016f14b9881ace33328993e755daadf
-
SHA1
15d15baa185a877ebeaf74ad59ba209a8c90e8fa
-
SHA256
a9ba0327f1ea8e71d77af0465dffe3038f7bc33910f908c97eab62b7bfcc404d
-
SHA512
8ed90434fe022fb42ae43b59aa1983a2ed3d485823890c7cd0dd80807d16f71eedb36b010d8ed40abaf2bd99a34c54468a47cdef645270a486b0c68e9bae583c
Static task
static1
Behavioral task
behavioral1
Sample
New #PO 84042841.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
New #PO 84042841.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sridurgaagros.com - Port:
587 - Username:
patlog@sridurgaagros.com - Password:
@Hammer1980
Targets
-
-
Target
New #PO 84042841.exe
-
Size
685KB
-
MD5
20187c9899f3b395219e55133004bd23
-
SHA1
952ca8e8eed8e2c05f7627e93ed4dad15a0fff9c
-
SHA256
ba6c27eedbe9c1152f8232f685600ec69ad11ada7b6e82db997e08d89a1b0385
-
SHA512
c8d9ab5f04c3514c207d712ec4211d41161848b1bc85dc37a4ef6b66f60ef79165ca2cb68fb965fa9e9e9ac42ab14ee7b19f05e1253815f47795f7478cecc082
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-