General
-
Target
sample_.ppt
-
Size
225KB
-
Sample
210305-h9vtqj2r6j
-
MD5
9cf2b594c4e731c42a98cd29eff24691
-
SHA1
3bb1e6523e6eee97e694cc0b3c557ecd6f954077
-
SHA256
d0f2cb812f55b2091f4df2b6a5e69e420c7ccc3ad7378e85d7c3e24066d78a50
-
SHA512
6e1175baf005f6c9d1d35edde84b641f63ef80b58d6bf5d75c35abe8664f5935474133c02a3b04dc760e8269d04739418e31fe332f79c8f5305ea0c9137937be
Static task
static1
Behavioral task
behavioral1
Sample
sample_.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
sample_.ppt
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://103.133.105.179/3535/inc/e93cc142f47fdc.php
Targets
-
-
Target
sample_.ppt
-
Size
225KB
-
MD5
9cf2b594c4e731c42a98cd29eff24691
-
SHA1
3bb1e6523e6eee97e694cc0b3c557ecd6f954077
-
SHA256
d0f2cb812f55b2091f4df2b6a5e69e420c7ccc3ad7378e85d7c3e24066d78a50
-
SHA512
6e1175baf005f6c9d1d35edde84b641f63ef80b58d6bf5d75c35abe8664f5935474133c02a3b04dc760e8269d04739418e31fe332f79c8f5305ea0c9137937be
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-