General
-
Target
payment infirmation.exe
-
Size
1.3MB
-
Sample
210120-yfq2qr1t5a
-
MD5
320eb3a29a367a0d6935df771ce086d7
-
SHA1
14ca1d8dbf23998b2a63be591208c147caac8e6a
-
SHA256
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
-
SHA512
b7ac766aad4c101e1ce2868f13c62252910daa63926fb2b7937d4e80aee920e4ca1a1f3cc58a255760368ef9ff124c8ee9665ea01596a56897241664135c0389
Static task
static1
Behavioral task
behavioral1
Sample
payment infirmation.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
payment infirmation.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.jkudyog.com - Port:
587 - Username:
ashutosh@jkudyog.com - Password:
%$#@lkjhgfdsa
Targets
-
-
Target
payment infirmation.exe
-
Size
1.3MB
-
MD5
320eb3a29a367a0d6935df771ce086d7
-
SHA1
14ca1d8dbf23998b2a63be591208c147caac8e6a
-
SHA256
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
-
SHA512
b7ac766aad4c101e1ce2868f13c62252910daa63926fb2b7937d4e80aee920e4ca1a1f3cc58a255760368ef9ff124c8ee9665ea01596a56897241664135c0389
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-