General
-
Target
c9138e38bf7241d2d79afb9b4d326a92d3bcf27cc9f032b3d2d02b6d943a1542
-
Size
265KB
-
Sample
220521-nz1qesedc5
-
MD5
2b2613a47291de32f7564e174124255d
-
SHA1
bdd8cd242c70f90eb203d79f6d087de0e8e83caa
-
SHA256
c9138e38bf7241d2d79afb9b4d326a92d3bcf27cc9f032b3d2d02b6d943a1542
-
SHA512
7ee87a3c08810051513dbade55e333673c5efd4d985b00855ee4ee0153ecd4281c837f3f4545808ee6abb38b53c98b49debe5fa30c4231b444702af67f83b4cb
Static task
static1
Behavioral task
behavioral1
Sample
INV#NO.12KF61.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
INV#NO.12KF61.exe
Resource
win10v2004-20220414-en
Malware Config
Targets
-
-
Target
INV#NO.12KF61.exe
-
Size
621KB
-
MD5
9d2482666eb2b88666a0d8ef8f103b7d
-
SHA1
7c2a5b3606803049eedf92bdd184c601b22a46cb
-
SHA256
3c165962ade84ada408c62730f36f4885ceede2f15aaa3de5e0f2d20fa204eb8
-
SHA512
13f7e932db8725d0c9eb6b634a52f87fe10d2ea534e8499e902d82ea5382118df4b37de40578c73782a95ba0488d044425e011a29535aab2bdde8f2eae17588a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-