General
-
Target
new_order20210408_14.doc
-
Size
824KB
-
Sample
210408-m7z4tjl1xa
-
MD5
fe54df1ab8565835d83177d1d03e2dd0
-
SHA1
153439d8a1edb4c3dea9fdb78c910dbb107abd58
-
SHA256
27cb289230f6544ef667488a02ee6967b9f1c4cf0c9a4c4d57af8a374b2241d9
-
SHA512
709e8104545ee5839d29d4b766ce0186101f65d1863100b6af54f7a4e4761d2a3cb3ca2e790e7772f452a9fb397f20391cc49d5c47841c11124c8e6fafe1931f
Static task
static1
Behavioral task
behavioral1
Sample
new_order20210408_14.doc
Resource
win7v20201028
Malware Config
Extracted
http://bit.ly/2RhLurR
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
m4ximilia@yandex.com - Password:
x103860*&1333
Targets
-
-
Target
new_order20210408_14.doc
-
Size
824KB
-
MD5
fe54df1ab8565835d83177d1d03e2dd0
-
SHA1
153439d8a1edb4c3dea9fdb78c910dbb107abd58
-
SHA256
27cb289230f6544ef667488a02ee6967b9f1c4cf0c9a4c4d57af8a374b2241d9
-
SHA512
709e8104545ee5839d29d4b766ce0186101f65d1863100b6af54f7a4e4761d2a3cb3ca2e790e7772f452a9fb397f20391cc49d5c47841c11124c8e6fafe1931f
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-