General
-
Target
0ffd3cc8c5628fff810737b47b2788735af8281dd86c2a6b1695868cfc53eae2
-
Size
493KB
-
Sample
220521-pcbcpafac7
-
MD5
8dc1ab771df2b456ff61bf94c51932fd
-
SHA1
a7ea762d33da3cd643baece6e3ba0613b82905be
-
SHA256
0ffd3cc8c5628fff810737b47b2788735af8281dd86c2a6b1695868cfc53eae2
-
SHA512
b6cd882edc981453d3e37a659e812e49d584cd4f2fa83a70f60ecb880c18722595a6f612b2b707cb57fdfab52770865ebd800ab261a2e43413764fe89e0be45c
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Sheet 2020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Purchase Sheet 2020.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
mikhiliovsergey@mail.ru - Password:
godwill12
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
mikhiliovsergey@mail.ru - Password:
godwill12
Targets
-
-
Target
Purchase Sheet 2020.exe
-
Size
611KB
-
MD5
a6619cf730f2e03c81aeb9fefcd70778
-
SHA1
2dca6afaf991614515c6f4fa59ce32460e0872e4
-
SHA256
f4ce706bea83c92bea67552077d4b3d9c1d1d58add3d8a53763cd5def3b23138
-
SHA512
18330333e39596142bada9d13a039e7390946e736f3e214affa626df2ac29eebfa7a0eff9743a2d92d4d1daded98f7eddd6d916874087b9bcf0ac986283c1e25
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-