General
-
Target
9d83580b805924c53fcb6e150a8c711b9a8169718883eadbc81aa2b0e6fd3b99
-
Size
412KB
-
Sample
220521-pvcy8sgad3
-
MD5
22af3dbfea5d7cedf0694f415f6e79f9
-
SHA1
73e549f8df0c42b6fb133241b8e223e44c3ac556
-
SHA256
9d83580b805924c53fcb6e150a8c711b9a8169718883eadbc81aa2b0e6fd3b99
-
SHA512
33ab3adbb6106d6bfccdbb8cf44beb769eed23e0b7f3ab12fea4e3a127b470178061b34474b16bf00748221477e9d317d8c9363d827a0362ebc1f49c60cc52ab
Static task
static1
Behavioral task
behavioral1
Sample
FIRST PURCHASE ORDER.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
FIRST PURCHASE ORDER.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.aquariuslogistics.com - Port:
587 - Username:
ajay@aquariuslogistics.com - Password:
AQL@2019#$
Targets
-
-
Target
FIRST PURCHASE ORDER.exe
-
Size
714KB
-
MD5
dbbac19cfd01ab4e759500a13168a30b
-
SHA1
71917c8765aaa6e2869cc1b949bfddf3580457c5
-
SHA256
fe41fe0b302887f61f20473015f386ab57ddb4cc278b3e1639c07337012a58f4
-
SHA512
caa08b928acff84a762f64c8c18c332db8f546d003085415560bdc265c3c90953d3e54da5e2031d188beca49e8c891966f8f8de66c8202928045acfd7d80d4ee
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-