General
-
Target
RFQ_20210715 & PO#2021.exe
-
Size
939KB
-
Sample
210715-pgzedsm6y2
-
MD5
4f4aba8fedeb7002f52d11375bac37de
-
SHA1
7a49569d723e6895f194303edc7487683c126de6
-
SHA256
9b4a7d90be6f0d791e5f83efce3c0cabe8cc7995573e8250f0905c2c5eb0e17a
-
SHA512
417af3edd6615bf8f214f46ad1b1d1bffc9ada54f21b13df4a714d65caf788966b97b5293587a621d493619349801855254c39f2a8477e4843b375ba30bcd17b
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_20210715 & PO#2021.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ_20210715 & PO#2021.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yillmachine.com - Port:
587 - Username:
datalogs2020@yillmachine.com - Password:
FCcHFCp8
Targets
-
-
Target
RFQ_20210715 & PO#2021.exe
-
Size
939KB
-
MD5
4f4aba8fedeb7002f52d11375bac37de
-
SHA1
7a49569d723e6895f194303edc7487683c126de6
-
SHA256
9b4a7d90be6f0d791e5f83efce3c0cabe8cc7995573e8250f0905c2c5eb0e17a
-
SHA512
417af3edd6615bf8f214f46ad1b1d1bffc9ada54f21b13df4a714d65caf788966b97b5293587a621d493619349801855254c39f2a8477e4843b375ba30bcd17b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-