General
-
Target
QUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
-
Size
706KB
-
Sample
210412-mmz8bek8wn
-
MD5
e6f1974aaeafa83cfb19e421a1c063ca
-
SHA1
7b358e43bd2c990af2dccd1eedd4ff8a165c0304
-
SHA256
31f153b1270cc3279425f4aa1d576dc02142d2008afdf5b7fd21f74431bb6473
-
SHA512
f13de4052ddb7daaaf05e07c468571ebb6a01af1670d4744e70aac555906884552354a95dc290471a8e3db27c43e235539542ce09eb5af1230384263f4423076
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
QUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
Resource
win10v20201028
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
aammorris@askoblue.com - Password:
hbqtHu^3
Targets
-
-
Target
QUOTATION#QQO2103060_Hangzhou_Zhongniu_Import_Export_Co.exe
-
Size
706KB
-
MD5
e6f1974aaeafa83cfb19e421a1c063ca
-
SHA1
7b358e43bd2c990af2dccd1eedd4ff8a165c0304
-
SHA256
31f153b1270cc3279425f4aa1d576dc02142d2008afdf5b7fd21f74431bb6473
-
SHA512
f13de4052ddb7daaaf05e07c468571ebb6a01af1670d4744e70aac555906884552354a95dc290471a8e3db27c43e235539542ce09eb5af1230384263f4423076
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-