General
-
Target
06a0b1d3f82dc20931af89b03e39602e403972162eff59510b1aa0b2f66b19f8
-
Size
447KB
-
Sample
220521-ppv8mafgc8
-
MD5
f7ac0b9dbaf83b2e96710af501a888ca
-
SHA1
32917a9487d6521d4bda65483ee4daa3feb41f68
-
SHA256
06a0b1d3f82dc20931af89b03e39602e403972162eff59510b1aa0b2f66b19f8
-
SHA512
23e94950ee99fa040313e965ae97eb9d862abfd267963af43436e9e9d57bce6cd58ed7fd93cbe08b0e8ff49b4ba1e5ad6f7094a475b706885cacd93e22db9c32
Static task
static1
Behavioral task
behavioral1
Sample
ScanNewOrder_PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ScanNewOrder_PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
alazilch@yandex.com - Password:
internationallove147
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
alazilch@yandex.com - Password:
internationallove147
Targets
-
-
Target
ScanNewOrder_PDF.exe
-
Size
522KB
-
MD5
09eb69a89839e979e06989df7ea5181f
-
SHA1
3216c4d9d035c4252116e96539b403cf5a0d8f56
-
SHA256
e4923f2e3773fadad36727ec18c9b392e8a3c0e01b6428cde077ebad13eda8d7
-
SHA512
9a924ab439c1f9ff3f3cd6d1245af49652b186fca5916645226e0a3b930efcd2f4b5bcabca284f6b00877b8ef6de4c810114dc9532b78364e1f88241295f12e0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-