General
-
Target
Request for Quotation via ShipServ 7465649870 RFQ).ppt
-
Size
66KB
-
Sample
210307-6vc7emngln
-
MD5
e4405847f94ce7a7ff1cf42754030467
-
SHA1
3c183881bab3a09576a24da6c6aceaf106e97f1b
-
SHA256
bc692c42c9c300e9ea559d6cdd74239d85339b60918b1c712db7078c1298421a
-
SHA512
cf8f7b945ae3df26e929cb28c1eeb0e3dd27620dd92c4c8749e2d18a226bcda6540ce36fcedd02c4f0d0333e5129b66d12e86b8a8d7298662d6b2dc3c027c6b9
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation via ShipServ 7465649870 RFQ).ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Request for Quotation via ShipServ 7465649870 RFQ).ppt
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://193.56.28.231/webpanel-master/inc/9d051d446f2aa6.php
Targets
-
-
Target
Request for Quotation via ShipServ 7465649870 RFQ).ppt
-
Size
66KB
-
MD5
e4405847f94ce7a7ff1cf42754030467
-
SHA1
3c183881bab3a09576a24da6c6aceaf106e97f1b
-
SHA256
bc692c42c9c300e9ea559d6cdd74239d85339b60918b1c712db7078c1298421a
-
SHA512
cf8f7b945ae3df26e929cb28c1eeb0e3dd27620dd92c4c8749e2d18a226bcda6540ce36fcedd02c4f0d0333e5129b66d12e86b8a8d7298662d6b2dc3c027c6b9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-