General
-
Target
INVOICE & TELEX BL_PDF.exe
-
Size
862KB
-
Sample
210927-rjfbbshbg2
-
MD5
22a2657bb48e3303f6f0a0fd1fdfe441
-
SHA1
d6a230a732f3d691a7fce60081f30627ffabd33d
-
SHA256
85627117b351e81655bb56b947b61a198d195a225db0e002ef476460b9f273ac
-
SHA512
5e24b5f9c3886c9fdeaa968ccc59882b24a4c4cf8d90f4ae7d44ba4ed96bc91800d2f98c1eace2426a5dfe7a16f7c1233b1d54607d17ccba490d9e03514d569c
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE & TELEX BL_PDF.exe
Resource
win7-en-20210920
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.zfftcn.com - Port:
587 - Username:
slot2@zfftcn.com - Password:
*VNHf^L9
Targets
-
-
Target
INVOICE & TELEX BL_PDF.exe
-
Size
862KB
-
MD5
22a2657bb48e3303f6f0a0fd1fdfe441
-
SHA1
d6a230a732f3d691a7fce60081f30627ffabd33d
-
SHA256
85627117b351e81655bb56b947b61a198d195a225db0e002ef476460b9f273ac
-
SHA512
5e24b5f9c3886c9fdeaa968ccc59882b24a4c4cf8d90f4ae7d44ba4ed96bc91800d2f98c1eace2426a5dfe7a16f7c1233b1d54607d17ccba490d9e03514d569c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Drops file in Drivers directory
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-