General
-
Target
Payment Copy 003.ppt
-
Size
380KB
-
Sample
210226-4cqwhdb6yx
-
MD5
51f66da7a8866a3e817597886192cf6d
-
SHA1
717566f03ffa43b2969cd3033e1db987bf927bad
-
SHA256
f7fd745b52fb8e791254492eca2c41df9281430dcbc5b56baa715b32eeb417ed
-
SHA512
3a7ca384a5d1c546e64c1faeebac58a96e3be268f656445e86a1fa10c9c34f14d3b5c7c2d472ad7f230609d80d156567a617a37a8c0de3e1424ca8ed91f7e636
Behavioral task
behavioral1
Sample
Payment Copy 003.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Payment Copy 003.ppt
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
david@damienzy.xyz - Password:
@damienzy.xyz2240
Targets
-
-
Target
Payment Copy 003.ppt
-
Size
380KB
-
MD5
51f66da7a8866a3e817597886192cf6d
-
SHA1
717566f03ffa43b2969cd3033e1db987bf927bad
-
SHA256
f7fd745b52fb8e791254492eca2c41df9281430dcbc5b56baa715b32eeb417ed
-
SHA512
3a7ca384a5d1c546e64c1faeebac58a96e3be268f656445e86a1fa10c9c34f14d3b5c7c2d472ad7f230609d80d156567a617a37a8c0de3e1424ca8ed91f7e636
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-