General
-
Target
swift-copy.doc
-
Size
570KB
-
Sample
210420-yqyx4qrd7e
-
MD5
00cf7f73c9a203c347cd294a05831071
-
SHA1
2048c3def996307c241d82f018d283fc7ee1c555
-
SHA256
216f7c44be6193c359ab1dc687dea34e7a3a3d46ad6b41faf646ed089955d874
-
SHA512
69db1215184a0d1c04a6a1b092deb9bdc6bcaff79423391b3719c8e85b3d31228bf17b1059dfed7fba30a78575a9915dc85af10f8033685858979806e839c2c8
Static task
static1
Behavioral task
behavioral1
Sample
swift-copy.doc.rtf
Resource
win7v20210410
Behavioral task
behavioral2
Sample
swift-copy.doc.rtf
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.orienttech.com.qa - Port:
587 - Username:
[email protected] - Password:
Op{^fLb9gN[!
Targets
-
-
Target
swift-copy.doc
-
Size
570KB
-
MD5
00cf7f73c9a203c347cd294a05831071
-
SHA1
2048c3def996307c241d82f018d283fc7ee1c555
-
SHA256
216f7c44be6193c359ab1dc687dea34e7a3a3d46ad6b41faf646ed089955d874
-
SHA512
69db1215184a0d1c04a6a1b092deb9bdc6bcaff79423391b3719c8e85b3d31228bf17b1059dfed7fba30a78575a9915dc85af10f8033685858979806e839c2c8
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-