General
-
Target
db9e101a455cc5601582e029cae66c9d79c9042da5a0faf20aa145e47fd8f42d
-
Size
496KB
-
Sample
220521-n85ezaeha4
-
MD5
b0d4920c81b2b52f8c711eda531f38b8
-
SHA1
eabf83ded0901a19ca41d5a9f9532daba2c737bd
-
SHA256
db9e101a455cc5601582e029cae66c9d79c9042da5a0faf20aa145e47fd8f42d
-
SHA512
71ec196c094179201e7a9a30707c6cdbda72eae2ed6ee5f891c9cca223bdd076a5cf92258af90f53779e18259f80d76930ea1d97ef1d4f4c4fd1fa8689e2bffe
Static task
static1
Behavioral task
behavioral1
Sample
Akbank Bildirimi.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Akbank Bildirimi.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
bin2laden@yandex.com - Password:
gatefee22
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
bin2laden@yandex.com - Password:
gatefee22
Targets
-
-
Target
Akbank Bildirimi.exe
-
Size
530KB
-
MD5
6864baa092a9d571a6b2b90994695ec8
-
SHA1
360b38f1050fa182cb4c579dd7af60d784d3f543
-
SHA256
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
-
SHA512
91fde501a8d514ff2ffeb12d0deb7721c372ccbf657e962e4ad5b35f0500a6fb5aa7e1b150ea4042ded50d7e898b5e8f432c8ee5ef931a08462a314cc4e5dd80
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-