General
-
Target
4397420c0db71a117903ac5be006c050d5dbd3d2d3c2e574aa02ba5480ed955b
-
Size
228KB
-
Sample
220521-nc3w9sgfan
-
MD5
7467d6cef742a3ffe4a5409c79c413d6
-
SHA1
712a430c5a34c14a253f35ebde63dc9e970c06e6
-
SHA256
4397420c0db71a117903ac5be006c050d5dbd3d2d3c2e574aa02ba5480ed955b
-
SHA512
c79f546e32d8180d21e970e70b51f37cc06ebcd4f44a6a0e6b98cc7a963e17c205da85c80c52167845d1c67b33efd0cba9b619ed5284de28f8c0169a0cd599ba
Static task
static1
Behavioral task
behavioral1
Sample
pictures.scr
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
pictures.scr
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
bh-31.webhostbox.net - Port:
587 - Username:
godwillpayme@schoolsadvisory.com - Password:
*JP9uoO%;M%Z
Targets
-
-
Target
pictures.scr
-
Size
637KB
-
MD5
0879e42f499d25bc6651cef6c74e2c42
-
SHA1
08c604275d3faafa8b6fed5a26399dc0010f8964
-
SHA256
ff556834b215cb5dc865342178c6e15e015cee26d4b601710c58264c5c76ba21
-
SHA512
b56b2daacca231c7c6fc9db0062d8a81fbb1524b0d9909d39af9be0a24bd484ac03ad5f00597846ae968c62547af04821b41d9eff9971fe09da646d8d1ad2ecc
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-