General
-
Target
5a394820228d34b9b0a7ecd5e02de5eef77988251a0ba90e17618fee964312e7
-
Size
425KB
-
Sample
220521-pldjeaagal
-
MD5
8c00a22ad035812858244b1181907808
-
SHA1
9acbfc68aca4343b4752eddcbe9269896d0e2983
-
SHA256
5a394820228d34b9b0a7ecd5e02de5eef77988251a0ba90e17618fee964312e7
-
SHA512
77e8fb795875be82ddde8b9a33e750a3e89b5db42ab4ffbb6bb9a28cfa03c6f19c366338da70d5e1ea67b82eeff6fffd6a4c7798a279b2a9cb3c2fc001c2740c
Static task
static1
Behavioral task
behavioral1
Sample
Order_884773_List.doc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order_884773_List.doc.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium57.web-hosting.com - Port:
587 - Username:
support@zoomexpress.online - Password:
Goodboy123??
Extracted
Protocol: smtp- Host:
premium57.web-hosting.com - Port:
587 - Username:
support@zoomexpress.online - Password:
Goodboy123??
Targets
-
-
Target
Order_884773_List.doc.exe
-
Size
505KB
-
MD5
0163ac2797196663b91439a473b42751
-
SHA1
441ce22c6d9704888ce612f03c7f170b3e993c23
-
SHA256
e651957af4c527f8a23f8c3094232c887e2a433974ab54e48e2519e8361809a6
-
SHA512
8bf39dbc267ec9e826887c771f98a27348a0069446bc3d46e13c705f92b50fae4f47324450c47cdf6f491f07ad61dd21d368452a60c5ae0f30178350ef9b1daa
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-