General
-
Target
_78594-854 Booking confirmation docx.rar
-
Size
818KB
-
Sample
210421-fj5t9qsr7j
-
MD5
003ff31192221ed822f7ca387166eced
-
SHA1
c341d74c826d8811443f158c162a932172985e0e
-
SHA256
76425d335d9c6ae6dc123fd03fc4949b7db8f91305b2b1262b69195e9ebf33b7
-
SHA512
ba815a5da14bff1cee28d0bde4ef0145c310a622bcedb7b3b99b052f2e606dae775b07198e4b21e8dc3664b3773098684a524a167c6b70ab71d5d8dec2e99120
Static task
static1
Behavioral task
behavioral1
Sample
78594-854 Booking confirmation docx.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
78594-854 Booking confirmation docx.exe
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.akdogulojistik.com - Port:
587 - Username:
servet@akdogulojistik.com - Password:
Ak6363Dogu2009
Targets
-
-
Target
78594-854 Booking confirmation docx.exe
-
Size
1.2MB
-
MD5
aa2e1a9609044d3d2ebcc0576417668d
-
SHA1
7f6b766f64c09b5e23a2836f52a819915bbf3ec8
-
SHA256
cbad9f9eabd3439596d81e2e54c3fbc37aba236f7a62c377a0e291dc8b0a8906
-
SHA512
975d0b5265eb39800ac56fff9c514f2004883992d0198c17e6a00207ea70c93ea15fac9793fab139a19df06397283516148518d7e2841a7f98c055d8d231d1f4
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-