General
-
Target
53f960b99fdb4e906997738c31b14a3490955c43d8366f8e67c12270d56cbbf1
-
Size
400KB
-
Sample
220521-pbvd6sfab2
-
MD5
b66861abcddf28c006b297f57cb7df9d
-
SHA1
f1e611c41e3c1bf307e0ec620ab1aa5c46af3d1c
-
SHA256
53f960b99fdb4e906997738c31b14a3490955c43d8366f8e67c12270d56cbbf1
-
SHA512
e088a8e667d61f4c50ee084439e8c947bb7ae09a7091bb7750c8035e1aa6fc746f8411b05cfa592edddfc7bfb9ec767c03faebe0e8305b43ee03e3c45f4dc076
Static task
static1
Behavioral task
behavioral1
Sample
IMG 24344 NEW ORDER_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
IMG 24344 NEW ORDER_PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.candenizcilik.com - Port:
587 - Username:
info@candenizcilik.com - Password:
519025
Targets
-
-
Target
IMG 24344 NEW ORDER_PDF.exe
-
Size
462KB
-
MD5
588ca298816b0e8e9e86b7206aba23db
-
SHA1
b517875f65071fb402a1284048e269ec5a409971
-
SHA256
a84d2a22a173f3cd1c23c42fa2c11ad1ba34ab2ab1df8c71823e029712ae7ae6
-
SHA512
08a356d128037732b40217b16b9581a58f8140b519ec079383c7b166aa78b9fad16373fd437f06ca9703b76817c6c6c2f250cd58df34084b386a41f3e5bc390a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-