General
-
Target
NEW ORDER 032021-W878.ppt
-
Size
71KB
-
Sample
210308-xapw8zjbpj
-
MD5
5c63ab7763e609cf490333be0be26596
-
SHA1
a3b5eb9fcbc36854ef61ef2c25ccf9fa5c1a5260
-
SHA256
736c4ad042343164463dce61269b4ab6101d8e34a4accbc3f2d23bb2e6a42f4a
-
SHA512
e6ed55100eac92bf698af254a6cd4b1ba0b87a1290ff5d2fd37ea6166b4444c2267c89c5d7e8d524a5250b0b33a95004d3168924f4e4b091d1b1add8c5c5a3a9
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER 032021-W878.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
NEW ORDER 032021-W878.ppt
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://103.133.105.179/3535/inc/e93cc142f47fdc.php
Targets
-
-
Target
NEW ORDER 032021-W878.ppt
-
Size
71KB
-
MD5
5c63ab7763e609cf490333be0be26596
-
SHA1
a3b5eb9fcbc36854ef61ef2c25ccf9fa5c1a5260
-
SHA256
736c4ad042343164463dce61269b4ab6101d8e34a4accbc3f2d23bb2e6a42f4a
-
SHA512
e6ed55100eac92bf698af254a6cd4b1ba0b87a1290ff5d2fd37ea6166b4444c2267c89c5d7e8d524a5250b0b33a95004d3168924f4e4b091d1b1add8c5c5a3a9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-