General
-
Target
25.pps
-
Size
100KB
-
Sample
210305-jnbcadnjna
-
MD5
c30e4c2f1fa54d2ef33b728ab424eeb5
-
SHA1
78de8719ed871189a4a79f4d37b6f664dbd7ed29
-
SHA256
8db5da6f4ee55565df9d436ab0052eaebab54a915929835e839c513e6c658e9f
-
SHA512
03266e5d5f717c7042e45a0703771eb66d72bfd2751309c27ca9162c1924bca360cf9b49522ea93484fa6c9e4a5ac46d32dcec1b65e7e1396aacc6d0528b18e0
Static task
static1
Behavioral task
behavioral1
Sample
25.pps
Resource
win7v20201028
Behavioral task
behavioral2
Sample
25.pps
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://103.133.105.179/3232/inc/62120b2819c6f4.php
Targets
-
-
Target
25.pps
-
Size
100KB
-
MD5
c30e4c2f1fa54d2ef33b728ab424eeb5
-
SHA1
78de8719ed871189a4a79f4d37b6f664dbd7ed29
-
SHA256
8db5da6f4ee55565df9d436ab0052eaebab54a915929835e839c513e6c658e9f
-
SHA512
03266e5d5f717c7042e45a0703771eb66d72bfd2751309c27ca9162c1924bca360cf9b49522ea93484fa6c9e4a5ac46d32dcec1b65e7e1396aacc6d0528b18e0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-