General
-
Target
APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
-
Size
706KB
-
Sample
210412-fwk8z4abes
-
MD5
da60d646e63e252736a76998f36a6547
-
SHA1
ca9af1d7be7667784742ced9b33141d7c6a4e0ac
-
SHA256
b728133491571b5473adba573e27014ccd8a83a337549e1cd61bb53675d9af81
-
SHA512
d89798434962684006161403a3c41ba62232e379367211be59106d4369666cfb3dcc4c96de0e7bc7c6d162a0bda516976f061c7975c20623a3346c73e56dcea8
Static task
static1
Behavioral task
behavioral1
Sample
APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
aammorris@askoblue.com - Password:
hbqtHu^3
Targets
-
-
Target
APRILQUOTATIONS#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
-
Size
706KB
-
MD5
da60d646e63e252736a76998f36a6547
-
SHA1
ca9af1d7be7667784742ced9b33141d7c6a4e0ac
-
SHA256
b728133491571b5473adba573e27014ccd8a83a337549e1cd61bb53675d9af81
-
SHA512
d89798434962684006161403a3c41ba62232e379367211be59106d4369666cfb3dcc4c96de0e7bc7c6d162a0bda516976f061c7975c20623a3346c73e56dcea8
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-