General
-
Target
PO 71035.pps
-
Size
82KB
-
Sample
210316-8b1l9nb7dn
-
MD5
76b3407328a71015dbc4afc88f17cd49
-
SHA1
fc52c238d348c7ebe5078489ed478bbb3b03b83d
-
SHA256
0d49d76014a2eeb82b331092ee3ba58548c564dea13451fada229da7fda132b1
-
SHA512
ef793485309bdd790d6c90162716e9629c1c338c0b4173648dfce97980c61d716df16be5ea361a857b03c5fc75ae8378fcfcc358a258d40829a7076f78880955
Static task
static1
Behavioral task
behavioral1
Sample
PO 71035.pps
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO 71035.pps
Resource
win10v20201028
Malware Config
Extracted
agenttesla
http://103.133.105.179/3030/inc/66714cb5e3f035.php
Targets
-
-
Target
PO 71035.pps
-
Size
82KB
-
MD5
76b3407328a71015dbc4afc88f17cd49
-
SHA1
fc52c238d348c7ebe5078489ed478bbb3b03b83d
-
SHA256
0d49d76014a2eeb82b331092ee3ba58548c564dea13451fada229da7fda132b1
-
SHA512
ef793485309bdd790d6c90162716e9629c1c338c0b4173648dfce97980c61d716df16be5ea361a857b03c5fc75ae8378fcfcc358a258d40829a7076f78880955
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Drops file in System32 directory
-