General
-
Target
RFQ_99705546,99805546_Mark Cansick.exe
-
Size
567KB
-
Sample
210928-kcz9labcbm
-
MD5
724bce9be00d521c9ae6075d50434b11
-
SHA1
a95a26499d30f48ca0b23e17b7273b1e6b92f8ac
-
SHA256
94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990
-
SHA512
d4082a9eca3f687eef2a1873368d89afcdf88461c24c6e0378e7925000562800a02dd6194fa81fb0b1150114a5451cba6b168739ae2d389efe0b82613b4d50ba
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_99705546,99805546_Mark Cansick.exe
Resource
win7-en-20210920
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.regalbelloit.com - Port:
587 - Username:
user@regalbelloit.com - Password:
OccWNGh9
Targets
-
-
Target
RFQ_99705546,99805546_Mark Cansick.exe
-
Size
567KB
-
MD5
724bce9be00d521c9ae6075d50434b11
-
SHA1
a95a26499d30f48ca0b23e17b7273b1e6b92f8ac
-
SHA256
94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990
-
SHA512
d4082a9eca3f687eef2a1873368d89afcdf88461c24c6e0378e7925000562800a02dd6194fa81fb0b1150114a5451cba6b168739ae2d389efe0b82613b4d50ba
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-