General
-
Target
Nuovo ordine .exe
-
Size
847KB
-
Sample
210719-4zrb81cl4x
-
MD5
c59677e174a469869400d73ef00bb6e3
-
SHA1
c5dd150a844d4f51c18629948def7e7cb6c1452d
-
SHA256
dc2768ccfc25f2dc8a57db7a9c9ddd4532fc6044ffd9419c96cdf6e0251e7823
-
SHA512
52009a1cf4f97826ee86e8b48b79f62be2929ad871037cc34fb6dff7a7b37b75c513136b0d385256bbada7722721f7cf3e4024b442494f9aceca850ce26db6cb
Static task
static1
Behavioral task
behavioral1
Sample
Nuovo ordine .exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Nuovo ordine .exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.alruomigroup.com - Port:
587 - Username:
eepauloffice@alruomigroup.com - Password:
HpabZXh7
Targets
-
-
Target
Nuovo ordine .exe
-
Size
847KB
-
MD5
c59677e174a469869400d73ef00bb6e3
-
SHA1
c5dd150a844d4f51c18629948def7e7cb6c1452d
-
SHA256
dc2768ccfc25f2dc8a57db7a9c9ddd4532fc6044ffd9419c96cdf6e0251e7823
-
SHA512
52009a1cf4f97826ee86e8b48b79f62be2929ad871037cc34fb6dff7a7b37b75c513136b0d385256bbada7722721f7cf3e4024b442494f9aceca850ce26db6cb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-