General
-
Target
f8f829521ff957ce0b2343426fa96d6f7252ca162f3c264702bccf5b624dc52c
-
Size
401KB
-
Sample
220521-xhw6cabge9
-
MD5
3693d005713308b3f1a77f9e060167f8
-
SHA1
e033cbd74f937f96925a0f2ff2b29fbda010e85e
-
SHA256
f8f829521ff957ce0b2343426fa96d6f7252ca162f3c264702bccf5b624dc52c
-
SHA512
2f90374973393c7d5a616de1c8c1d29f4c51c27d4ce7ea9f8b3186e75c32acb50b57b0e6f86c0e196c59018f356540d38b7bad070e7b8f06295e8e58202b035a
Static task
static1
Behavioral task
behavioral1
Sample
RFQ - L2004220045.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ - L2004220045.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sacaplus.com - Port:
587 - Username:
shafiq@sacaplus.com - Password:
786sas12
Extracted
Protocol: smtp- Host:
mail.sacaplus.com - Port:
587 - Username:
shafiq@sacaplus.com - Password:
786sas12
Targets
-
-
Target
RFQ - L2004220045.bat
-
Size
445KB
-
MD5
6fddc9be9e33acc082b0108f29707df2
-
SHA1
e929b95e17f11d6fdc9ba75f810d8ea4d50d1acc
-
SHA256
e83fe0f20ca6602c7842bd619698e141d7a0f92c4e625b42559334ccab74a148
-
SHA512
2434d3a3f47962c87552e63056879422ff1670fd4d176e0c4677e945dcacc3587309deb5464864013ef8251bf415be208cc83985baf2cb0daffd37f6b131eb45
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-