General
-
Target
fed48c890f099eb9fa6868624f305964cb456fbbba0b4c9444c49fafba35bbf5
-
Size
574KB
-
Sample
220521-pq3zvsbafj
-
MD5
3f8b1bab104e7add676145dbe3dd4c54
-
SHA1
14d91e2647e6c3644866eedd85a9449bc8540a4c
-
SHA256
fed48c890f099eb9fa6868624f305964cb456fbbba0b4c9444c49fafba35bbf5
-
SHA512
495e6b35f6bcab8817e4dc5fe2d47675ab2ab71c7b78164f9b1ea31773242856c4f69e0e2d1b0f4544e01f505195540678a1c3545d44881db90ba4fbf7bc9964
Static task
static1
Behavioral task
behavioral1
Sample
8JVksjPpTQe3cej.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8JVksjPpTQe3cej.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
roham.dnswebhost.com - Port:
587 - Username:
e@robotkar.ir - Password:
anyiego@123
Targets
-
-
Target
8JVksjPpTQe3cej.exe
-
Size
605KB
-
MD5
369a7128bae6f603d8d37e139beff1e3
-
SHA1
6345b980e576c947b130c8e79f0748af6515758b
-
SHA256
99d5312ed790ae1cc69b6965f33f193863e3f4cec084ddf24b6d3722dd926d8d
-
SHA512
66a3ad5c31c034ba934731b0956d1ebe2ef52658eb8e9a1c426af3655df79bb712412eebb2052c12498dbd2ee7e96623f9a07a8e79921b164d68a17718f9994c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-