General
-
Target
eeb657c996085b9dfa34b7d7c649f03d8106111ab537058cb2fad15fa4512bcd
-
Size
338KB
-
Sample
220521-nymgeahdgj
-
MD5
2c7f0deb853f41ed8a2c66f4438e9b13
-
SHA1
0695f35c2b3536a5d38b956ff5e4ab80ada80a0f
-
SHA256
eeb657c996085b9dfa34b7d7c649f03d8106111ab537058cb2fad15fa4512bcd
-
SHA512
c94285a76f8259051208fa9541516a2c134ec939c3f690fc737f3e57f6b851a9cc745d58fab77e4c819f8c58327a2690fbc4e37425bf476d51af8b543a564ae7
Static task
static1
Behavioral task
behavioral1
Sample
JW50941PI,pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
JW50941PI,pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.heybetdeger.av.tr - Port:
587 - Username:
heybet@heybetdeger.av.tr - Password:
Heybet27-
Targets
-
-
Target
JW50941PI,pdf.exe
-
Size
872KB
-
MD5
eaa461707107d984bef65c2440be4bab
-
SHA1
a282713aa5f086efa5b1acbef2b17c9e8faf7af4
-
SHA256
982973063ae8ea7dbe8cb75740f7e99317efcb46755e51c880f2e303ed4d5e62
-
SHA512
dbdcf1938f2e7e80cea584ee13fcd3f73adafddc2b23d9ae8213b7b80a6261e2704f5bd9489cd05bf8d84cd9ad789090cc2d3a8974cd6e7752eeba1bf7119ed1
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-