General
-
Target
f748b82467e71bd1b2a1a12c128e8c66425be3054f5144b000cc94f52383fa19
-
Size
506KB
-
Sample
220521-n8k2bsegg2
-
MD5
8fdead561b7de0d74665ebb7bc6352ce
-
SHA1
e07214206ef3cd037f7cf14ec39fee9336723334
-
SHA256
f748b82467e71bd1b2a1a12c128e8c66425be3054f5144b000cc94f52383fa19
-
SHA512
5c26be026ea17bfb097330e2538a6266c6828119d2e438126793aea0371f28e0327d88e3d33728d23912cdacb2bb5216051673cd550f1f7ccba98b9841e5be68
Static task
static1
Behavioral task
behavioral1
Sample
company profile and order.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
company profile and order.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
clubluxurious.com - Port:
587 - Username:
adminsmtp@clubluxurious.com - Password:
lovers903212@@@123
Extracted
Protocol: smtp- Host:
clubluxurious.com - Port:
587 - Username:
adminsmtp@clubluxurious.com - Password:
lovers903212@@@123
Targets
-
-
Target
company profile and order.exe
-
Size
541KB
-
MD5
901d22562d31a9e1c5db78101f5a1a5b
-
SHA1
5bb7d889b40ab7bf7565f5709ec85806624f262f
-
SHA256
17b08a5f3af74a6f01300f637e6975b4d42a04b3c1f5825a86106adc48f51608
-
SHA512
a7c094689266752791228a518c725e2f36a45bb5ef47c5a9020cabad3f35ca5f3057db44dcc4ff4ed7879e40755af4ebe165ea50735774478c4aca414f2a3e56
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-