General
-
Target
70e30acf81923cadd480f66f2fc63a56987e6e402258c4f59c629ec345e28634
-
Size
1.2MB
-
Sample
220521-pkbnesfdh2
-
MD5
cd2a010e64ef7a8524c6de842a81e98e
-
SHA1
0cf5ecd11fe746ac696f0ba62b743a125d6f37df
-
SHA256
70e30acf81923cadd480f66f2fc63a56987e6e402258c4f59c629ec345e28634
-
SHA512
fa4edfe76bed79845f1346bbe4fec3551720b89a43fa5b0e729a83793da06ed12f8e2d0144ba1507eebb97ba8b2056400eeab46d41db1cece942c7bfc2789c07
Static task
static1
Behavioral task
behavioral1
Sample
FUND_APP.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
FUND_APP.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.bubuyayaa.com - Port:
587 - Username:
teamwork@bubuyayaa.com - Password:
bubuyaya007
Targets
-
-
Target
FUND_APP.EXE
-
Size
507KB
-
MD5
e174ddd754ba98495721027618f36ece
-
SHA1
17a964ea8949cedb839afbb9e851ab4442fee2bf
-
SHA256
d33efcce86a05a724b6238a4957a4ea348db0e01578b750919332fa4c6f96e21
-
SHA512
b39f58d6c7cf8069600bb3347aa130f93e61907bb54f1996942203b1ad1060557d0d33944f7366a59eafeb003bdaab7014af8a284ddc489e734108bf885d97ab
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Disables Task Manager via registry modification
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-