General
-
Target
ff48d21210b2738f7f21511287b21be8f841e464ec116b6dcf0f0c7e03788f6e
-
Size
262KB
-
Sample
220521-nx8y1shdeq
-
MD5
6b839abd5b3cf42d88ae5df8030928c4
-
SHA1
36cdaad32a6be0a76437fc0fc9baab101b72e6b2
-
SHA256
ff48d21210b2738f7f21511287b21be8f841e464ec116b6dcf0f0c7e03788f6e
-
SHA512
3b23126f072565dbd766500e536a9da9eeb0cd7bb263d84ab78bf8ea099f15bb67fafd5af8320c4b0277917b9e6dfc569af6ff41ca79452eee0def65be714065
Static task
static1
Behavioral task
behavioral1
Sample
PI-030491565.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PI-030491565.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.miomantenimiento.com - Port:
587 - Username:
mariocastro@miomantenimiento.com - Password:
mariocastro
Targets
-
-
Target
PI-030491565.exe
-
Size
610KB
-
MD5
d010e2b46a90d9eba12f6289f646a63a
-
SHA1
e3ba1ddf3762420d39675153ea3af7a69a02dc73
-
SHA256
312c318247865049e4ae58114d1d4a9931b566763eecfb2e83e167c8c410bee5
-
SHA512
a68ba4ed04457423c1d607ffa6e2a36736e98a730722ceab4f2fe5b6495e9ab94780a91034d1178ecd4805fa5a9bf142e65aa1b785083501c6cbcc62c474538e
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-