General
-
Target
Payment Slip.exe
-
Size
686KB
-
Sample
210723-dtrdxjbgwa
-
MD5
a6d092527c868bca9de40fc0d6d8032f
-
SHA1
e8389965e4d3c5eb3fcdeeb3c2e8325216e4d392
-
SHA256
d59601df51dd905fccccac81f6750b512dccd7c7d3cf6001c3f073a58c1905c4
-
SHA512
9e706d49d81651e02e4ce85f9ba7f80f91193c858841e067ff88856e10d5d6bbf43a97242fc54d7f793578fcd5fd2b030c86ecfc711d0b5f1f39b80e5b42e5e7
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Payment Slip.exe
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
SMTP.mail.com - Port:
587 - Username:
rita-adfixtures@asia.com - Password:
Sunriseadaoma2020
Targets
-
-
Target
Payment Slip.exe
-
Size
686KB
-
MD5
a6d092527c868bca9de40fc0d6d8032f
-
SHA1
e8389965e4d3c5eb3fcdeeb3c2e8325216e4d392
-
SHA256
d59601df51dd905fccccac81f6750b512dccd7c7d3cf6001c3f073a58c1905c4
-
SHA512
9e706d49d81651e02e4ce85f9ba7f80f91193c858841e067ff88856e10d5d6bbf43a97242fc54d7f793578fcd5fd2b030c86ecfc711d0b5f1f39b80e5b42e5e7
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-