General
-
Target
68f190b3fd347501e6735d88d9ca580a9745d4371b0b28626533ec278ef48805
-
Size
237KB
-
Sample
220521-pwpz7abcgn
-
MD5
ffd7b386961ba77ef6797eec3a7b0f3f
-
SHA1
14235bfac5f6270190c722acf9c048193ad434a1
-
SHA256
68f190b3fd347501e6735d88d9ca580a9745d4371b0b28626533ec278ef48805
-
SHA512
cf5a7c84a87a5e825a125c57a7ee26604706d8fd7d2f08ce0a4e1715dda0ee1a60fea36e9f15358b1de9a6d1f11a497b62a04e941ebdaa4f91387d40c4682320
Static task
static1
Behavioral task
behavioral1
Sample
PI . 290.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PI . 290.pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bestinjectionmachines.com - Port:
587 - Username:
v6engine@bestinjectionmachines.com - Password:
wN{qPRgN7Lo~
Targets
-
-
Target
PI . 290.pdf.exe
-
Size
658KB
-
MD5
165a8076aefc984b43248293ffe0fe04
-
SHA1
5c5f6a1d70db1493f3d9f3a0f17b6afdba2727b9
-
SHA256
5889fd00dbdb63d2e655258fac2143f291c1f94d515c8a94707f3c439fde5932
-
SHA512
337b467b703261bc311d45811901f55ec452a3f6dbcd6717969f9ead9738ed2be7c9e7052dd03fa07ececd366f0e7278aafa80b1e41ebb3bc015b2c37f502055
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-