General
-
Target
f53ce702da37fe9720c8ee5e54fae93455516808ca376be2587362b2d6689d1f
-
Size
265KB
-
Sample
220521-n8l9dsaabk
-
MD5
b79ff6ad90cf2219e3d36f3e0fae5446
-
SHA1
7f96c1cff3356578c658d1ed5bbd1c93ed5032d1
-
SHA256
f53ce702da37fe9720c8ee5e54fae93455516808ca376be2587362b2d6689d1f
-
SHA512
5f3a523c4cdfe85468c3d373c7c102cd40071dcaf3fcea6a598af29436458e994c84b45595fd0eaf0c40f9f33531a56169c12ace7cf6b692c5d64d69b3c443e0
Static task
static1
Behavioral task
behavioral1
Sample
SCHACHERMAYER INQ2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SCHACHERMAYER INQ2.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.okgrocer.co.za - Port:
587 - Username:
lot1567@okgrocer.co.za - Password:
Theunis@123
Targets
-
-
Target
SCHACHERMAYER INQ2.exe
-
Size
444KB
-
MD5
8593b1cec0cbf443f51b1be38eaba1e2
-
SHA1
9ba1e269f69c7a4d3c18d93bd68d6f78b2356687
-
SHA256
dfe2978764d493ac195ec5a39d99f998c1d69d9f68e25bbbe090d9b2f7cb97c2
-
SHA512
bb787c21279a0c0686a7def3254ed939390a144ac0264129cbdb5f79e35008487daa3ca99a037ca4027284f0b9fd6a0899850b60cce4640f2970f416e4395d73
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-