General
-
Target
RFQ No3756368.ppt
-
Size
78KB
-
Sample
210422-ssqqw7338s
-
MD5
4b485ae386bfa68a2eeac2dc35bda606
-
SHA1
8086ec71e34fd18a1a8e3e20721bc466caf3cda4
-
SHA256
99b84223a505faa4dcd483e6e925dddfe5a890b41aa92b5e4ef5239a26036075
-
SHA512
7918aedf847172a8dfed81931ebe5247a627922d5042d6a10799089dd8bb711a1a8f4dc5301e5b65a0f8a27d11f8d815b7d615bb157854a70d1b5a93e8cb09d5
Static task
static1
Behavioral task
behavioral1
Sample
RFQ No3756368.ppt
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ No3756368.ppt
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.raceinfo.co.za - Port:
587 - Username:
[email protected] - Password:
@ProtimeSport2021
Targets
-
-
Target
RFQ No3756368.ppt
-
Size
78KB
-
MD5
4b485ae386bfa68a2eeac2dc35bda606
-
SHA1
8086ec71e34fd18a1a8e3e20721bc466caf3cda4
-
SHA256
99b84223a505faa4dcd483e6e925dddfe5a890b41aa92b5e4ef5239a26036075
-
SHA512
7918aedf847172a8dfed81931ebe5247a627922d5042d6a10799089dd8bb711a1a8f4dc5301e5b65a0f8a27d11f8d815b7d615bb157854a70d1b5a93e8cb09d5
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-