General
-
Target
DHL#AWB031121.ppt
-
Size
121KB
-
Sample
210311-kf5ntmema2
-
MD5
49c5e5cf4fec6d41cf03e25995e664d4
-
SHA1
d8bfbe0acf50553ddd7a8bb4160ebf3f163e608a
-
SHA256
f62126148a3e6cc7bc2662a8d3b4def7ba95af74265b8f13c2abf6254ea8f0f7
-
SHA512
6e2f2d9977b6666209d984be665dffa0fb6a13aee7814a4727eaf4eeb66d0017dcffcfac2ae8ba4679bf70b0c0f3ef2ea5640f12619959dcf114851bb25946a9
Static task
static1
Behavioral task
behavioral1
Sample
DHL#AWB031121.ppt
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL#AWB031121.ppt
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://193.56.28.231/webpanel-ice/inc/8a33becdbb4cb1.php
Targets
-
-
Target
DHL#AWB031121.ppt
-
Size
121KB
-
MD5
49c5e5cf4fec6d41cf03e25995e664d4
-
SHA1
d8bfbe0acf50553ddd7a8bb4160ebf3f163e608a
-
SHA256
f62126148a3e6cc7bc2662a8d3b4def7ba95af74265b8f13c2abf6254ea8f0f7
-
SHA512
6e2f2d9977b6666209d984be665dffa0fb6a13aee7814a4727eaf4eeb66d0017dcffcfac2ae8ba4679bf70b0c0f3ef2ea5640f12619959dcf114851bb25946a9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-