General
-
Target
e53ea50a016d04caea039d864a0aee4d6200a1818b09e9f6acb789e1673341c7
-
Size
54KB
-
Sample
210505-q1qs7lh9rx
-
MD5
78a4d352080a2d97b7b9b16130001c6c
-
SHA1
cb9bcf57f96f1668f26d0a79c7f21a659fff8230
-
SHA256
e53ea50a016d04caea039d864a0aee4d6200a1818b09e9f6acb789e1673341c7
-
SHA512
eae269d9f50b4bc8eeceb50542d17f7c17d9e5fdbaadb7859d672967ef5e6a45f554d180736220a88c8ed1f7261f6d34c07a97544d32227dbaccf99d522077c9
Static task
static1
Behavioral task
behavioral1
Sample
e53ea50a016d04caea039d864a0aee4d6200a1818b09e9f6acb789e1673341c7.xlsm
Resource
win7v20210410
Behavioral task
behavioral2
Sample
e53ea50a016d04caea039d864a0aee4d6200a1818b09e9f6acb789e1673341c7.xlsm
Resource
win10v20210410
Malware Config
Extracted
agenttesla
http://103.133.105.179/707/inc/0b03976abf4fd3.php
Targets
-
-
Target
e53ea50a016d04caea039d864a0aee4d6200a1818b09e9f6acb789e1673341c7
-
Size
54KB
-
MD5
78a4d352080a2d97b7b9b16130001c6c
-
SHA1
cb9bcf57f96f1668f26d0a79c7f21a659fff8230
-
SHA256
e53ea50a016d04caea039d864a0aee4d6200a1818b09e9f6acb789e1673341c7
-
SHA512
eae269d9f50b4bc8eeceb50542d17f7c17d9e5fdbaadb7859d672967ef5e6a45f554d180736220a88c8ed1f7261f6d34c07a97544d32227dbaccf99d522077c9
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-