General
-
Target
875096b2ca00440f1fc10d450738e0a8d7535f79f6266f54bf5d25602fa8d5ac
-
Size
368KB
-
Sample
220521-n6djgahhan
-
MD5
d0e204f20d461729d69ace256393181a
-
SHA1
f8a7b460ae256cf956d48b0b5a383b5c5a554276
-
SHA256
875096b2ca00440f1fc10d450738e0a8d7535f79f6266f54bf5d25602fa8d5ac
-
SHA512
fc56bff8b0d3a1b0c8b2a7d52f5735ac6f29e4dfa2afb41c93309749f7a7dd02e93e344b940c2ab4219d34d7266b6a50284291ccd48c6824558995f5425071d9
Static task
static1
Behavioral task
behavioral1
Sample
UPS Invoice-661754.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
UPS Invoice-661754.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.cosmosgroup.in - Port:
587 - Username:
santosh@cosmosgroup.in - Password:
santosh_cosmos
Targets
-
-
Target
UPS Invoice-661754.exe
-
Size
413KB
-
MD5
85668d3a7ff81363fbf096c4a458cde0
-
SHA1
8a8d5dcfb32b8478f8a1095bdad0ae0bb64177e6
-
SHA256
7f9bf2d1063480558f9c615fda4a47a49b08af8404298f0914b937bef6f26c4f
-
SHA512
670ba603b757a2f9bdc305c737b8f1ebe42e9295f48667fbaaab4427963ff2585ef6a27d568bc6e3b4119ce6edb454cccf8fc588a702ffcd36da6330e9796ddc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-