General
-
Target
Nuovo ordine .zip
-
Size
514KB
-
Sample
210719-rn7xkemsva
-
MD5
12f91295b63310efc5458a93edccad6e
-
SHA1
28fc6d5444fa3ed8bc9f2978a345f7bb03a6f8b4
-
SHA256
188b9ba067cd7ce1f5bc1798f838ba2887292a0afbfcc2ce708923f2a443adb3
-
SHA512
653544028c72255baf44fdc3bf57b0f2b8df38ef210ec7a3127df2809827373a359b14c9795a2987b7330b465cb3f13a515dafdbad7dec821bad0027f959f2ee
Static task
static1
Behavioral task
behavioral1
Sample
Nuovo ordine .exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
Nuovo ordine .exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.alruomigroup.com - Port:
587 - Username:
eepauloffice@alruomigroup.com - Password:
HpabZXh7
Targets
-
-
Target
Nuovo ordine .exe
-
Size
847KB
-
MD5
c59677e174a469869400d73ef00bb6e3
-
SHA1
c5dd150a844d4f51c18629948def7e7cb6c1452d
-
SHA256
dc2768ccfc25f2dc8a57db7a9c9ddd4532fc6044ffd9419c96cdf6e0251e7823
-
SHA512
52009a1cf4f97826ee86e8b48b79f62be2929ad871037cc34fb6dff7a7b37b75c513136b0d385256bbada7722721f7cf3e4024b442494f9aceca850ce26db6cb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-