General
-
Target
TRM76EWDS.com
-
Size
401KB
-
Sample
200630-hyg893f9vn
-
MD5
fa54db10aba75c0b629fea0c37e64de3
-
SHA1
931097d1be9092432b8ebb04c0a96f36060aa7ea
-
SHA256
052148f226d2b1e51ca7318eacda6906765138d2e28b290558a2b7003e9f6634
-
SHA512
c2e43e5eecc0bcb99ce08a3ffae9bd80867ad48ffd20f00c949f5d28d04677f1744edcd8f7a93efa78a512b5e62cd25ca59413078a845a5f5ba9c2ae62b4024e
Static task
static1
Behavioral task
behavioral1
Sample
TRM76EWDS.com.exe
Resource
win7
Behavioral task
behavioral2
Sample
TRM76EWDS.com.exe
Resource
win10
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
dubemlogszz@lascostoolsc.xyz - Password:
dubem@4000XAXAX
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
dubemlogszz@lascostoolsc.xyz - Password:
dubem@4000XAXAX
Targets
-
-
Target
TRM76EWDS.com
-
Size
401KB
-
MD5
fa54db10aba75c0b629fea0c37e64de3
-
SHA1
931097d1be9092432b8ebb04c0a96f36060aa7ea
-
SHA256
052148f226d2b1e51ca7318eacda6906765138d2e28b290558a2b7003e9f6634
-
SHA512
c2e43e5eecc0bcb99ce08a3ffae9bd80867ad48ffd20f00c949f5d28d04677f1744edcd8f7a93efa78a512b5e62cd25ca59413078a845a5f5ba9c2ae62b4024e
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-