General
-
Target
QTN TECHN 80654.exe
-
Size
1.7MB
-
Sample
210624-g8m7f7v1rj
-
MD5
78cc790e0eb562e9dde6d6daf206f852
-
SHA1
d9ad1c34313400f6f102b6f989d5004e540f74d4
-
SHA256
372a1eff95efebac004946b062fafd38a69b2f9c4d2c900335b22353a4646d2e
-
SHA512
71ba7b464f3559ea9e818942949b849dce24b2ebbf2bbaf1355091abdc7f7dfdfb18861266e34b000f082081bf62e0bb356ff9a014976721ad4261e5644c2aff
Static task
static1
Behavioral task
behavioral1
Sample
QTN TECHN 80654.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
QTN TECHN 80654.exe
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.buynsell.com.pk - Port:
587 - Username:
accounts@buynsell.com.pk - Password:
9DdbVxrWBXPq
Targets
-
-
Target
QTN TECHN 80654.exe
-
Size
1.7MB
-
MD5
78cc790e0eb562e9dde6d6daf206f852
-
SHA1
d9ad1c34313400f6f102b6f989d5004e540f74d4
-
SHA256
372a1eff95efebac004946b062fafd38a69b2f9c4d2c900335b22353a4646d2e
-
SHA512
71ba7b464f3559ea9e818942949b849dce24b2ebbf2bbaf1355091abdc7f7dfdfb18861266e34b000f082081bf62e0bb356ff9a014976721ad4261e5644c2aff
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-