General
-
Target
PO ORDER 13012020.pps
-
Size
115KB
-
Sample
210113-ykkanfg53s
-
MD5
ef0aed5496df29894d543f176f58ffb8
-
SHA1
c76d78256b743d6401c2272b69eb307f1ada4a9a
-
SHA256
d2f1f28bac56207164e2c5364be21700303c8a8b6ef05270038736255c4593b2
-
SHA512
e02803c05b3ab2ffc3d93655d0c474f8af0813101da568e2f39e1c5e28d62f49aaf7d8627f1125e4d92a952cac0307b62a20686f0c0ff41dc96081dd4e204740
Static task
static1
Behavioral task
behavioral1
Sample
PO ORDER 13012020.pps
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO ORDER 13012020.pps
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://103.133.105.179/8/inc/359ffad84790de.php
Targets
-
-
Target
PO ORDER 13012020.pps
-
Size
115KB
-
MD5
ef0aed5496df29894d543f176f58ffb8
-
SHA1
c76d78256b743d6401c2272b69eb307f1ada4a9a
-
SHA256
d2f1f28bac56207164e2c5364be21700303c8a8b6ef05270038736255c4593b2
-
SHA512
e02803c05b3ab2ffc3d93655d0c474f8af0813101da568e2f39e1c5e28d62f49aaf7d8627f1125e4d92a952cac0307b62a20686f0c0ff41dc96081dd4e204740
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-