General
-
Target
MV BEHTA Requisition.cab
-
Size
365KB
-
Sample
210421-ktjrnbv3sn
-
MD5
f2363a8d8134d1ecaef3dd4be64eef7b
-
SHA1
4963e889ee97b1e7f47c1dc154c7b6445c0162ac
-
SHA256
adc3ccb9845024d523244f2ecd9a2e97e271ba310a07644393af3c2dce2e4920
-
SHA512
f0376a74f06bd88934aea0173d2d19d8f64ece5dbae10479c3dc9a694a14fce6a9af0878aeba0865b1140c9c03fd7d653caea7b784cb3594faf1882104b28777
Static task
static1
Behavioral task
behavioral1
Sample
MV BEHTA Requisition.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
MV BEHTA Requisition.exe
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.hyshippingcn.com - Port:
587 - Username:
plogs112@hyshippingcn.com - Password:
e*u@qkS4
Targets
-
-
Target
MV BEHTA Requisition.exe
-
Size
477KB
-
MD5
0bbd4f88ffc0e2403dc677db55138705
-
SHA1
96969cad9fb63258840273415b56524e7e0dd44e
-
SHA256
4e03a6064d48718f91df9160b73f9a8cba2976bf516e6f97dc0ec1ddf2c05633
-
SHA512
71972eb34f862212faf2c90da28526aa7af502e3b32453bc9b3c4fefb52ceb50823f4da4003003f3527f87d41bf357e8adf2c84d22b3394aeac1d078df620e15
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-