General
-
Target
DRAWINDS.doc
-
Size
630KB
-
Sample
210421-72h7hdtfrn
-
MD5
67d7ab74d4766f745eb011f6ba6b3ded
-
SHA1
4aa646c35f73591190724f90a6b10c35e23f176f
-
SHA256
e78492f168d79c9e2301b3a1a9a19423c7307d191779d1529c0050e423898322
-
SHA512
72b00273579c1c4abd9e5c5eabd129cc25ec743f81f1dc3225873649f9e6a441f025274c9dfa6a2db8bc3162be12ad17454e58a99627abb1ee3c30f7e9de7d0e
Static task
static1
Behavioral task
behavioral1
Sample
DRAWINDS.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
DRAWINDS.doc
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.soonlogistics.com - Port:
587 - Username:
admin@soonlogistics.com - Password:
admin6640!
Targets
-
-
Target
DRAWINDS.doc
-
Size
630KB
-
MD5
67d7ab74d4766f745eb011f6ba6b3ded
-
SHA1
4aa646c35f73591190724f90a6b10c35e23f176f
-
SHA256
e78492f168d79c9e2301b3a1a9a19423c7307d191779d1529c0050e423898322
-
SHA512
72b00273579c1c4abd9e5c5eabd129cc25ec743f81f1dc3225873649f9e6a441f025274c9dfa6a2db8bc3162be12ad17454e58a99627abb1ee3c30f7e9de7d0e
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-