General
-
Target
PO000170.exe
-
Size
509KB
-
Sample
201109-78w5sc8n9x
-
MD5
080cfd17bd94ff40a8813cd7c8d03b67
-
SHA1
4a100e472fce2d52d58d153cd0ac4a82c6b79e7b
-
SHA256
cd301ca1c374c26aca9bf5381a3b491ae384f06868617c6c16b563213854d159
-
SHA512
7a7635ed2c14644a813c1d2a60cad09bb6d4c728cc2d3bdfd75f9e13ce4b8b044482b4eb20f942bc95144c48ae286ae5295003563bdb17296a8f3e9b16c0d3c0
Behavioral task
behavioral1
Sample
PO000170.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO000170.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tolipgoldenplaza.com - Port:
587 - Username:
dir.fb@tolipgoldenplaza.com - Password:
Golden@#$2019
Targets
-
-
Target
PO000170.exe
-
Size
509KB
-
MD5
080cfd17bd94ff40a8813cd7c8d03b67
-
SHA1
4a100e472fce2d52d58d153cd0ac4a82c6b79e7b
-
SHA256
cd301ca1c374c26aca9bf5381a3b491ae384f06868617c6c16b563213854d159
-
SHA512
7a7635ed2c14644a813c1d2a60cad09bb6d4c728cc2d3bdfd75f9e13ce4b8b044482b4eb20f942bc95144c48ae286ae5295003563bdb17296a8f3e9b16c0d3c0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Suspicious use of SetThreadContext
-