General
-
Target
6d123955f4e88f7aa0e4466d063033f054f28714a53229c77e18d5cfaee44792
-
Size
433KB
-
Sample
220521-pknb8aafgn
-
MD5
2dc214ccf4770c4b2615dab34067c52a
-
SHA1
3ba9e3fec582010c454ddd7f5c2f92fe3c9c56b0
-
SHA256
6d123955f4e88f7aa0e4466d063033f054f28714a53229c77e18d5cfaee44792
-
SHA512
08b53bca8aecc6d70b5178121fdd7b604186f39bf29d2316e7c2acb863112b4ae146e05267dc995e57d181a8329308725593f8c22647a591bdddec9ec358be7d
Static task
static1
Behavioral task
behavioral1
Sample
CT_Y039581726.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
CT_Y039581726.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gfaqrochem.com - Port:
587 - Username:
turkey@gfaqrochem.com - Password:
k@rCFBF4
Targets
-
-
Target
CT_Y039581726.exe
-
Size
509KB
-
MD5
120d7f3a1d90817bae339b50b40d17d3
-
SHA1
79ce12a56cda10d463fc45926eeb216c133d9702
-
SHA256
48a8412a53603f0802d074c01c6792940732155c95b38b168d37965ecadba031
-
SHA512
dc60c97026a63cd77ab241a8cb63ac1875ba1af6fe76aa1f30dc3fe6d04c3c0bd1ff6ae3d4f5b096540a76b7bb6e826f91242fab5c68836822aea9b63f6e173a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-