General
-
Target
PO#00187.ppt
-
Size
133KB
-
Sample
210225-ye55aec3gj
-
MD5
1dadb4c3fe45566d28b7156be2e2aa6b
-
SHA1
53fecb422d1b1663e4a9aec9f5a3a020e818a6f9
-
SHA256
0289ee3c551ba84d34ab1760d042ab420733d96dbfedfae9718f8eb138c3259b
-
SHA512
b514646371ff67b67ee9c1bc4e3258442be1d175cf1290fbddc58405969bfcf0693cbddfa216aa6e0c73f7521096ef867773e1767a569e04d70480f71d5de62a
Behavioral task
behavioral1
Sample
PO#00187.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO#00187.ppt
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://193.56.28.231/webpanel-ice/inc/8a33becdbb4cb1.php
Targets
-
-
Target
PO#00187.ppt
-
Size
133KB
-
MD5
1dadb4c3fe45566d28b7156be2e2aa6b
-
SHA1
53fecb422d1b1663e4a9aec9f5a3a020e818a6f9
-
SHA256
0289ee3c551ba84d34ab1760d042ab420733d96dbfedfae9718f8eb138c3259b
-
SHA512
b514646371ff67b67ee9c1bc4e3258442be1d175cf1290fbddc58405969bfcf0693cbddfa216aa6e0c73f7521096ef867773e1767a569e04d70480f71d5de62a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-