General
-
Target
PurchaseOrder78902AprilOrderNewRoundBars.doc
-
Size
2.0MB
-
Sample
210423-kg3ma6br9a
-
MD5
a5b413517f57edefa04c2eaa9d47bb4a
-
SHA1
1c12b1e1ca3a59099c452ae8c4faef03ad70bf6c
-
SHA256
69409736df3c6c36e70d30570ba872c0a76795cd5cad0e22c874138540db1281
-
SHA512
261047892012740f03790f555d6b0a1ae05be710168e4391e5c203bfe23c3017fbd0be43ffc0ff56ac15893ea147b770ef445d723bc29b178168115f7bd5fb1c
Static task
static1
Behavioral task
behavioral1
Sample
PurchaseOrder78902AprilOrderNewRoundBars.doc.rtf
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PurchaseOrder78902AprilOrderNewRoundBars.doc.rtf
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.privateemail.com - Port:
587 - Username:
sammorris@askoblue.com - Password:
P)RTDOg8
Targets
-
-
Target
PurchaseOrder78902AprilOrderNewRoundBars.doc
-
Size
2.0MB
-
MD5
a5b413517f57edefa04c2eaa9d47bb4a
-
SHA1
1c12b1e1ca3a59099c452ae8c4faef03ad70bf6c
-
SHA256
69409736df3c6c36e70d30570ba872c0a76795cd5cad0e22c874138540db1281
-
SHA512
261047892012740f03790f555d6b0a1ae05be710168e4391e5c203bfe23c3017fbd0be43ffc0ff56ac15893ea147b770ef445d723bc29b178168115f7bd5fb1c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-