General
-
Target
cb8f50d531de3822cd8ba7075bbb370d18c43c87e6fbc265dfb4281d56213447
-
Size
683KB
-
Sample
220521-nzwfpsheek
-
MD5
5bccaf893a068db00611e48c8b7ae63d
-
SHA1
4623c690301577556e864793331aef2eeda6d9fe
-
SHA256
cb8f50d531de3822cd8ba7075bbb370d18c43c87e6fbc265dfb4281d56213447
-
SHA512
a2544a1e22d6afaa4f8bcacf755077aa4831bad92b0aa9fb472743c537a7780b577c8b11eff43c97e6007cf0651d8b9ab5cb311d6f43069266151d1b2a546a0a
Static task
static1
Behavioral task
behavioral1
Sample
payment copy.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment copy.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.acmasindia.com - Port:
587 - Username:
feedback@acmasindia.com - Password:
7R?_e#f.wLob
Extracted
Protocol: smtp- Host:
mail.acmasindia.com - Port:
587 - Username:
feedback@acmasindia.com - Password:
7R?_e#f.wLob
Targets
-
-
Target
payment copy.exe
-
Size
716KB
-
MD5
e5f74fba39a57d9e8f42b3073447b283
-
SHA1
429ab9b34e3cfadce00baf207f4a2a87666785de
-
SHA256
4282ae23bf6e1a962085b045a712056a9d98c1e03d9d77c6a226d3fc7ed89776
-
SHA512
f1754b72140111d0241720407d05e1e610ff08aad96289f2af51461d3ad1e7e0d4741ad7b28724e531a6195969a0105380b982d5509c52a98bb44ae85d95924e
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-