General
-
Target
3b9a5cc3455c7dcd9bf22edb4e989661098025623b865621e9a4b41cd719150b
-
Size
425KB
-
Sample
220521-pmne1affc2
-
MD5
6d3991f468022150509d459276e4e429
-
SHA1
b1fcbe863843b616366f69a5b155532def53a384
-
SHA256
3b9a5cc3455c7dcd9bf22edb4e989661098025623b865621e9a4b41cd719150b
-
SHA512
8c0d06aa24439f1dcb6fb434d7b23466a655ff4c224c0c5396919dba8eea0d0e5daa39d32529f313b20e6b9f7ade0d0552fa1214c05e508a74941927d5231c89
Static task
static1
Behavioral task
behavioral1
Sample
Order_4488577_list.doc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Order_4488577_list.doc.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
premium57.web-hosting.com - Port:
587 - Username:
japan-dea@zoomexpress.online - Password:
Goodboy123??
Extracted
Protocol: smtp- Host:
premium57.web-hosting.com - Port:
587 - Username:
japan-dea@zoomexpress.online - Password:
Goodboy123??
Targets
-
-
Target
Order_4488577_list.doc.exe
-
Size
505KB
-
MD5
3089c7102435d9700d73ef949b43f634
-
SHA1
5a18fc13f09fde131207b0c0ea723da477804cab
-
SHA256
e2ee107b59612c9ca7bc1df9d460f3c7205503aaa92346bcab201cb7c153f25a
-
SHA512
0e8f3cf8de7c91ed16552d978be0ab03265dbf1205f9706c53c7db938cf6e4645bc27f9620e053bf7d3b80e8d3dacf0e2291ac988c46e9ac1f3bc1917e57001c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-