General
-
Target
HDPCV# RFQ 322159-4.xlsx
-
Size
2.7MB
-
Sample
210429-ay3hgd2jmx
-
MD5
0723e01d5729adda6f656174c4bf466a
-
SHA1
9f932d3363b42057fd1718553dbbc74557839d2a
-
SHA256
ea68d55ec3df2ebc4174f6799a22cb5b1edd1cae65abe3aa2b782c56bc4a1bbc
-
SHA512
d4caff9c2eea635b468df293e237624a5e5844916443c421029850e337c5fff1b7eef9f21b289f1dd2c20b8eafb294631d6c448ee15b8797d58d142df14ce664
Static task
static1
Behavioral task
behavioral1
Sample
HDPCV# RFQ 322159-4.xlsx
Resource
win7v20210410
Behavioral task
behavioral2
Sample
HDPCV# RFQ 322159-4.xlsx
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.semlats.com - Port:
587 - Username:
dhlee@semlats.com - Password:
rjtor#f7
Targets
-
-
Target
HDPCV# RFQ 322159-4.xlsx
-
Size
2.7MB
-
MD5
0723e01d5729adda6f656174c4bf466a
-
SHA1
9f932d3363b42057fd1718553dbbc74557839d2a
-
SHA256
ea68d55ec3df2ebc4174f6799a22cb5b1edd1cae65abe3aa2b782c56bc4a1bbc
-
SHA512
d4caff9c2eea635b468df293e237624a5e5844916443c421029850e337c5fff1b7eef9f21b289f1dd2c20b8eafb294631d6c448ee15b8797d58d142df14ce664
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-