General
-
Target
Quote Request #7779510.doc
-
Size
295KB
-
Sample
210421-4a3nt1yvax
-
MD5
56031cae7ff0acf6da4b77070c607774
-
SHA1
c9f9047e53d83becc7c6076c899a703f1e6e1a76
-
SHA256
ff381561194eae8d503307490082530d0b452297e33610d219d6a116814b6447
-
SHA512
5ec0385f97e866da8316f9d84ec4148fbfa9a069510a71aad28b1a1a6b71d05a3155d63d8ae5e341e3123ed9441ff6b8a6a9202a5798665ecce42d3b46e53265
Static task
static1
Behavioral task
behavioral1
Sample
Quote Request #7779510.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Quote Request #7779510.doc
Resource
win10v20210408
Malware Config
Extracted
httP://katchobinnas.duckdns.org/kat.exe
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
eitaneli@pppkglobal.net - Password:
yZ!RlHx2
Targets
-
-
Target
Quote Request #7779510.doc
-
Size
295KB
-
MD5
56031cae7ff0acf6da4b77070c607774
-
SHA1
c9f9047e53d83becc7c6076c899a703f1e6e1a76
-
SHA256
ff381561194eae8d503307490082530d0b452297e33610d219d6a116814b6447
-
SHA512
5ec0385f97e866da8316f9d84ec4148fbfa9a069510a71aad28b1a1a6b71d05a3155d63d8ae5e341e3123ed9441ff6b8a6a9202a5798665ecce42d3b46e53265
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-