General
-
Target
9511a30639a096cec9156a0cd3184875516a17956522108e4053bc2c76019c94
-
Size
438KB
-
Sample
220521-phvcraaegp
-
MD5
b7c2694702c9b0370e6a0808401755ca
-
SHA1
d57ecd2e9fa24369501690c4f4571a2610d823cc
-
SHA256
9511a30639a096cec9156a0cd3184875516a17956522108e4053bc2c76019c94
-
SHA512
0fd80238b00340bbe0de4c9ba3871b26866d48b504f9f885d8d37bb6005c8490bdb485922fc81ca6bac8172bb14d2c2b54c0600923778ba8da3ddf9ac39db37d
Static task
static1
Behavioral task
behavioral1
Sample
UPDATED STATEMENT OF ACCOUNT.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
UPDATED STATEMENT OF ACCOUNT.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
sales@bluerangesa.net - Password:
bluerange192
Targets
-
-
Target
UPDATED STATEMENT OF ACCOUNT.exe
-
Size
517KB
-
MD5
ea02ba05886fe6b37ce64156bb61f6f6
-
SHA1
032ee549892fcc1c9997a24219f9a152e32219e4
-
SHA256
008166254b8e5a8426887188cdf60bf1c213485d5bab7cb92fa9006835dfcb64
-
SHA512
1e2843f9e3536cfd197419e485b0dddd3836ef046501e6155af38f04930e84fe05a5eb0c3ff4f0150f3c20ab0236511904ab89f97e1e511f83b73ce3f4006d11
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-