General
-
Target
DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
-
Size
867KB
-
Sample
210408-9gmvg12ee6
-
MD5
edae8c184a250cccba45c023e805e12d
-
SHA1
6042a0f078faad9525f052a561120d1e2551160f
-
SHA256
0a572e4a9f5d166e563f1c63aa7aa029c2c206d23767bd6ab033a95d7d7027cb
-
SHA512
a2880bef10470d56e87452fd1c6feb27c4d1dde1fcae5f00901254ea99d1a743190aa3e802b1a492f107a54445fe5fc0c98c4b1c2a3123ccf2dcfeae1ff6ed68
Static task
static1
Behavioral task
behavioral1
Sample
DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
sammorris@askoblue.com - Password:
P)RTDOg8
Targets
-
-
Target
DHL_Express_Shipment_Invoice_Confirmation_CBJ190517000131_74700456XXXX.exe
-
Size
867KB
-
MD5
edae8c184a250cccba45c023e805e12d
-
SHA1
6042a0f078faad9525f052a561120d1e2551160f
-
SHA256
0a572e4a9f5d166e563f1c63aa7aa029c2c206d23767bd6ab033a95d7d7027cb
-
SHA512
a2880bef10470d56e87452fd1c6feb27c4d1dde1fcae5f00901254ea99d1a743190aa3e802b1a492f107a54445fe5fc0c98c4b1c2a3123ccf2dcfeae1ff6ed68
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-