General
-
Target
Purchase Order10.doc
-
Size
1.9MB
-
Sample
210126-whrk8j3jvs
-
MD5
f31d2d6a7d01e211141333c3ec6d4cf4
-
SHA1
29f4e3692eda9a58d505203b2aa55590890d7c51
-
SHA256
d3dcf866f41cf696930dad4c6d1362e81b3d4d395dbd66761b6c7d882510fbac
-
SHA512
000611a7e89ade1fe643c41b628d4c679b9d75c9da4cd2fd2c00c47fdd7b379438e69b6e103cc6297c10ff72698f670458ccd8c6a890a799196f3b7aa2b96e5c
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order10.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Purchase Order10.doc
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
frostdell.uk - Port:
587 - Username:
userlogs@frostdell.uk - Password:
7213575aceACE@#$
Targets
-
-
Target
Purchase Order10.doc
-
Size
1.9MB
-
MD5
f31d2d6a7d01e211141333c3ec6d4cf4
-
SHA1
29f4e3692eda9a58d505203b2aa55590890d7c51
-
SHA256
d3dcf866f41cf696930dad4c6d1362e81b3d4d395dbd66761b6c7d882510fbac
-
SHA512
000611a7e89ade1fe643c41b628d4c679b9d75c9da4cd2fd2c00c47fdd7b379438e69b6e103cc6297c10ff72698f670458ccd8c6a890a799196f3b7aa2b96e5c
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-