General
-
Target
BL COPY.exe
-
Size
885KB
-
Sample
210511-dpmvlshy32
-
MD5
d3a2edaff3070fd462a89b3c5d75391c
-
SHA1
63fe1e5b263c0cfc796010f7ff5e39ad631a39c5
-
SHA256
71276409f3ed154c5b43a4357d4644350d89c064e0db3ad4cca5570dbeaaa3a0
-
SHA512
7655eb938f69c33cf8e06b8ab6a7c9ad89cfaa3686af651a87f7c42ac7567c0e9db8cebc91775fd6ea76750e719bddc32632d0d4f870afecb5997975eda0b605
Static task
static1
Behavioral task
behavioral1
Sample
BL COPY.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
BL COPY.exe
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.citechco.net - Port:
587 - Username:
anando@citechco.net - Password:
Webana@321#
Targets
-
-
Target
BL COPY.exe
-
Size
885KB
-
MD5
d3a2edaff3070fd462a89b3c5d75391c
-
SHA1
63fe1e5b263c0cfc796010f7ff5e39ad631a39c5
-
SHA256
71276409f3ed154c5b43a4357d4644350d89c064e0db3ad4cca5570dbeaaa3a0
-
SHA512
7655eb938f69c33cf8e06b8ab6a7c9ad89cfaa3686af651a87f7c42ac7567c0e9db8cebc91775fd6ea76750e719bddc32632d0d4f870afecb5997975eda0b605
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-