General
-
Target
99e5a7536cc2d5681c1c045d47a273e7a0f970a5108f3f800083eb59a3256ee7
-
Size
1.2MB
-
Sample
220521-pve4lagad4
-
MD5
b1a35465085c872620355bc82bf91162
-
SHA1
1aa073525448ca55a446633176944269a86c0c0b
-
SHA256
99e5a7536cc2d5681c1c045d47a273e7a0f970a5108f3f800083eb59a3256ee7
-
SHA512
eeac630adc7e5a969eaf49a49564410dd2f104a3e13076f97a03d9e505348f1fddd03a0bf23eb5e8d2abbec85022b1201e67355df835641cb46d883cdb42ee00
Static task
static1
Behavioral task
behavioral1
Sample
LPO_9953.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
LPO_9953.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.rebajitrading.com - Port:
587 - Username:
info@rebajitrading.com - Password:
EMmaunel11@!
Targets
-
-
Target
LPO_9953.EXE
-
Size
412KB
-
MD5
47072e57a2134673161be0457cc7e8ba
-
SHA1
c9c53e2d1a0f9291523bc116bb744b13acc0c682
-
SHA256
e1318a650ccdea9cc8cad79ab30946efb6f42aaff9305b97e9fa6c8d63a7b647
-
SHA512
508f718a36c80b530746e279984cbf0556e796dca0d4e7243d73a88d4707032d1a21bcf0d8a55f4fb078a71b704fa564c66bf42a09feee614073d25356748e90
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-