General
-
Target
AWB DHL 7214306201 Shipment_pdf.exe
-
Size
485KB
-
Sample
230328-wbqjjscc86
-
MD5
aecb508586356ab8ea6bf6ce6cc964f4
-
SHA1
a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
-
SHA256
145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
-
SHA512
6513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
SSDEEP
12288:sK3FTyoJ43erqBTIDkh0eTR46bTXEYCkjX2w4vU1upOQAW:UsaBBTRh04RJELkjXAcAs/W
Static task
static1
Behavioral task
behavioral1
Sample
AWB DHL 7214306201 Shipment_pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AWB DHL 7214306201 Shipment_pdf.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5409839916:AAEYUYZy0IhJQAm4VXi620si4okGW8FDL2w/
Targets
-
-
Target
AWB DHL 7214306201 Shipment_pdf.exe
-
Size
485KB
-
MD5
aecb508586356ab8ea6bf6ce6cc964f4
-
SHA1
a9b192e515b1b4d396d8c6cb00565dd71af3ed4a
-
SHA256
145ac60ec975bb0a649e3b056fba500a2877dad80ee5453c947413c7d5218caa
-
SHA512
6513d11154d048eacca468ace53e6eca9a01a84116ff56f1d3b44cfc0644ac48f17e36c8a4c8baa8eb2a7d2c353fb6acb05c969c1d69598ef566090a38f8640a
-
SSDEEP
12288:sK3FTyoJ43erqBTIDkh0eTR46bTXEYCkjX2w4vU1upOQAW:UsaBBTRh04RJELkjXAcAs/W
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-