General
-
Target
IMG_1035_80_63.doc
-
Size
33KB
-
Sample
210311-rxgfygp91n
-
MD5
f1c7f28c1e71d97feabc188c267fd4a8
-
SHA1
bc323d3cb3234f98cfca8540ae9e7eb1ac29ab06
-
SHA256
b25e473d3fd1772bb3fcc4faec21fbdb5c1a5a2b2e3dcad5702d7466c8d7b9ce
-
SHA512
5ecc4583ad9904c808b52efdf9821c8e2b38df9e84af199b7265c3c95e5417b42030ebccbcd92de8774c46d466d97902a336c0da5de4aad5870034670fb49c52
Static task
static1
Behavioral task
behavioral1
Sample
IMG_1035_80_63.doc
Resource
win7v20201028
Behavioral task
behavioral2
Sample
IMG_1035_80_63.doc
Resource
win10v20201028
Malware Config
Extracted
https://bit.ly/3ccVgSJ
Extracted
agenttesla
Protocol: smtp- Host:
sixjan.club - Port:
587 - Username:
[email protected] - Password:
{DsG_Z,9Yl50
Targets
-
-
Target
IMG_1035_80_63.doc
-
Size
33KB
-
MD5
f1c7f28c1e71d97feabc188c267fd4a8
-
SHA1
bc323d3cb3234f98cfca8540ae9e7eb1ac29ab06
-
SHA256
b25e473d3fd1772bb3fcc4faec21fbdb5c1a5a2b2e3dcad5702d7466c8d7b9ce
-
SHA512
5ecc4583ad9904c808b52efdf9821c8e2b38df9e84af199b7265c3c95e5417b42030ebccbcd92de8774c46d466d97902a336c0da5de4aad5870034670fb49c52
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Beds Protector Packer
Detects Beds Protector packer used to load .NET malware.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-