General
-
Target
10555179020556fb461d05be6edca9e067de3c229ced8277b82db4c676299d9a
-
Size
366KB
-
Sample
220521-xmlkeacag7
-
MD5
00a7a00bec44fc6ccb1f22688c908000
-
SHA1
2b25609845f3bb86d4fa9c44fc54115d9c2844fa
-
SHA256
10555179020556fb461d05be6edca9e067de3c229ced8277b82db4c676299d9a
-
SHA512
b3ba881c506a2981b02fcdbff86c441ffdce3b3173c3123dd5c58787f458ac0e3084e6e9391c55eee2ffcd3ae76960c0ae480f23b78953646c480f123a2a9d28
Static task
static1
Behavioral task
behavioral1
Sample
payment against your invoi.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
payment against your invoi.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.trip24now.com - Port:
587 - Username:
services@trip24now.com - Password:
Services@123#
Targets
-
-
Target
payment against your invoi.exe
-
Size
499KB
-
MD5
eadb9c9fbe400eeb9a6dfd465f116498
-
SHA1
32fc1cfedec2ec886bcd9562cdce99f2414af041
-
SHA256
7ef89eedb2b94ba182361208dc6fc31bd1dd3e378e0c5ba28a137996764a2de7
-
SHA512
dfc20697f28b9fab1fd33f22b6d5398f2ca5cc442bcce2db6e548d993eb8424d6bce34d883a29ddc5b78d69b4d5b2600a6fdc9c3d097b8cb50d07a064cee3eb2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-