General
-
Target
NEW VENDOR FOR CTM 21.0.cab
-
Size
354KB
-
Sample
210421-ztyc3afwte
-
MD5
a8837667885238c85de88b25aea7e2d5
-
SHA1
0b29625fdc9d2097b3f0091ef1dc6069786edb27
-
SHA256
4af8a39b1a560855f12284bd90fde9d57f2d45dbeb4fd5d50f8d532a993289ae
-
SHA512
2c26feb33f9efc5a071fefc38c335c1c726e74d415991617ccfdbd9e04bd8eb2d52c634ac9ccc604aa32b0f3c7d37670110db7b35af7eabfc0299f763f539935
Static task
static1
Behavioral task
behavioral1
Sample
NEW VENDOR FOR CTM 21.0.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
NEW VENDOR FOR CTM 21.0.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.hyshippingcn.com - Port:
587 - Username:
plogs112@hyshippingcn.com - Password:
e*u@qkS4
Targets
-
-
Target
NEW VENDOR FOR CTM 21.0.exe
-
Size
463KB
-
MD5
4b721a8d71de67710d0391f8eda57d8d
-
SHA1
614b2f6aafb93d760482128c221b052647b4ba3e
-
SHA256
113289fcf78c75d3f42a504464ce183ad572ef78f62bc26192e2c0f5ed88bc58
-
SHA512
57c3dd94b3d225a8fffed003ee5f0733f09178e62bc0f06e7e32150739ff1248dae439c3303f6511bc4d192d94a1688ca890b807295babbbc6e5718230d7261e
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-