General
-
Target
Po 463922900001.ppt
-
Size
77KB
-
Sample
210421-1w7162ryes
-
MD5
07d27e32b0ab74301b426e77502bcc13
-
SHA1
5f5631b653a61e085650035166d2ab84ab429331
-
SHA256
414dca4ec7dff32fb1d809f021c4865dc1f6249318ffd707b3d5ef72a4cdd7f2
-
SHA512
0a331ddd511ae5a13a9307f48617fc317b283b4378e868e88724abd78b893ea4f5cca6fbf132b22ee61fee63d378d95d5613f1db3b15e14e491d1133513b1026
Static task
static1
Behavioral task
behavioral1
Sample
Po 463922900001.ppt
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Po 463922900001.ppt
Resource
win10v20210410
Malware Config
Extracted
agenttesla
http://103.133.105.179/808/inc/39b29f468532e0.php
Targets
-
-
Target
Po 463922900001.ppt
-
Size
77KB
-
MD5
07d27e32b0ab74301b426e77502bcc13
-
SHA1
5f5631b653a61e085650035166d2ab84ab429331
-
SHA256
414dca4ec7dff32fb1d809f021c4865dc1f6249318ffd707b3d5ef72a4cdd7f2
-
SHA512
0a331ddd511ae5a13a9307f48617fc317b283b4378e868e88724abd78b893ea4f5cca6fbf132b22ee61fee63d378d95d5613f1db3b15e14e491d1133513b1026
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-