General
-
Target
Company Business Card.ppt
-
Size
216KB
-
Sample
210224-tl28w92rna
-
MD5
2b3d67c54557405839996ee70857b5ec
-
SHA1
a0b2e584a6eb8c723a376bac76db060938bd893f
-
SHA256
555bc41d6b7911af7ad8ca46fef4fea731de07f8feaa6964378f08ae9952ee3b
-
SHA512
08b115ebb1c68468d5e7b81ca9650ae0a856c00b928eb11b34781127018f20279295f959b73bb8588ae16c53638f057d4a4ebd2252c5e73911a7d7584b6eef3c
Behavioral task
behavioral1
Sample
Company Business Card.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Company Business Card.ppt
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://193.56.28.231/webpanel-nick2/inc/8c5de8c1d1501d.php
Targets
-
-
Target
Company Business Card.ppt
-
Size
216KB
-
MD5
2b3d67c54557405839996ee70857b5ec
-
SHA1
a0b2e584a6eb8c723a376bac76db060938bd893f
-
SHA256
555bc41d6b7911af7ad8ca46fef4fea731de07f8feaa6964378f08ae9952ee3b
-
SHA512
08b115ebb1c68468d5e7b81ca9650ae0a856c00b928eb11b34781127018f20279295f959b73bb8588ae16c53638f057d4a4ebd2252c5e73911a7d7584b6eef3c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-