General
-
Target
TT COPY.exe
-
Size
540KB
-
Sample
201109-dh44d2n74n
-
MD5
8cb73260e8cc3d0f51da164e2f30f9db
-
SHA1
956cdf7991eff9c64e6d2b9148bec190f347f908
-
SHA256
89080cc94eae4cab0a8d50729214296a16767368c12a4f679baab998fad152fc
-
SHA512
fb173cf6d551e2e223010cf2180bdaa289ee1f531c64345663caed9496ee59f9edaf6fb18028516f37b805e0b57522b63ab858578705431a891dfbc8ea92a2e9
Static task
static1
Behavioral task
behavioral1
Sample
TT COPY.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
TT COPY.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.microtechlab.in - Port:
587 - Username:
reports@microtechlab.in - Password:
pune@123
Targets
-
-
Target
TT COPY.exe
-
Size
540KB
-
MD5
8cb73260e8cc3d0f51da164e2f30f9db
-
SHA1
956cdf7991eff9c64e6d2b9148bec190f347f908
-
SHA256
89080cc94eae4cab0a8d50729214296a16767368c12a4f679baab998fad152fc
-
SHA512
fb173cf6d551e2e223010cf2180bdaa289ee1f531c64345663caed9496ee59f9edaf6fb18028516f37b805e0b57522b63ab858578705431a891dfbc8ea92a2e9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-