General
-
Target
Order 200234#.doc
-
Size
295KB
-
Sample
210421-hjfb17wy6e
-
MD5
452e11d23c80550a45b6a498bac85733
-
SHA1
1b1355594eecbfad9803e771bedefedf96ecceee
-
SHA256
8ac32b7faa79aabd51156f6503e624a53ee5d355d602784273376ad45e7dbdbf
-
SHA512
fcf7955fe9b6e84e6361a2e0beca3bce9a64d7f413c8629a877e37da016144c4c886ecbf0d61586233aecb15f9215ac0378fc5349ed127465904658af1a3f3a5
Static task
static1
Behavioral task
behavioral1
Sample
Order 200234#.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Order 200234#.doc
Resource
win10v20210408
Malware Config
Extracted
httP://katchobinnas.duckdns.org/obi.exe
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
zhoubing.wu.zeruimetal@pppkglobal.net - Password:
Thanks202#
Targets
-
-
Target
Order 200234#.doc
-
Size
295KB
-
MD5
452e11d23c80550a45b6a498bac85733
-
SHA1
1b1355594eecbfad9803e771bedefedf96ecceee
-
SHA256
8ac32b7faa79aabd51156f6503e624a53ee5d355d602784273376ad45e7dbdbf
-
SHA512
fcf7955fe9b6e84e6361a2e0beca3bce9a64d7f413c8629a877e37da016144c4c886ecbf0d61586233aecb15f9215ac0378fc5349ed127465904658af1a3f3a5
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-