General
-
Target
9ee7f424459fe2f8626518e88f8b280fe7ad77829a440fc66c64e71ed3246bbb
-
Size
489KB
-
Sample
220521-pacsqsabap
-
MD5
43d1fcb04aaf34c5d523236196420f3d
-
SHA1
db4982b5920c6a9580de878e37ba743bd35045b4
-
SHA256
9ee7f424459fe2f8626518e88f8b280fe7ad77829a440fc66c64e71ed3246bbb
-
SHA512
bca9a923fe9ea62ae214479f606ed9ce08e926b935c3db711f4a0933c7723606d3c792a0aa37cdbb1af32ed234b14f90ce10271bc724d64bf95fb8c59ca75bd2
Static task
static1
Behavioral task
behavioral1
Sample
COPY.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
COPY.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sanfusin.com.tw - Port:
587 - Username:
ab11@sanfusin.com.tw - Password:
philomina1234567890
Targets
-
-
Target
COPY.exe
-
Size
524KB
-
MD5
a21ce2c71ed22848481762cb30e2e14d
-
SHA1
bc4abd722a2d078b21e1877a4f648ecb63a3aa8f
-
SHA256
65fa84dd1967467b1ec2be1efa3562a6a4db188835f3c53517add8fc825a0edc
-
SHA512
872d1396bb112a6f84b45f2cb847fd4dda1918517c1f6c02ba8b6e8ed50ad17c0013d9ef7e34e807c07454d9b941a02694ad8ff2cfd5a3b2c1e2590094abcf4d
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-