General
-
Target
RFQ#-Airbus AS365-EC155.exe
-
Size
850KB
-
Sample
210727-gmq7x6ga72
-
MD5
59b10a4ae08a82cceaf918848c40a8f5
-
SHA1
acf4e109eba29bc8ad37a4db9337ac9a30f74e68
-
SHA256
bf12c7cd5b7991644a86d6ab104040e6f51581d275a3f9e7f9b60e9931a204e8
-
SHA512
3540ee55be7e74d803c7095882e98e44af5bdd4eec6690bb6476e3d7e0495afe4d19e5352823d57a7915c43b7b6fce44f3af38b7918d1f8993a357d4d712e151
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#-Airbus AS365-EC155.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ#-Airbus AS365-EC155.exe
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.sempreviva.pet - Port:
587 - Username:
dataoffice1@sempreviva.pet - Password:
ACYPFpe9
Targets
-
-
Target
RFQ#-Airbus AS365-EC155.exe
-
Size
850KB
-
MD5
59b10a4ae08a82cceaf918848c40a8f5
-
SHA1
acf4e109eba29bc8ad37a4db9337ac9a30f74e68
-
SHA256
bf12c7cd5b7991644a86d6ab104040e6f51581d275a3f9e7f9b60e9931a204e8
-
SHA512
3540ee55be7e74d803c7095882e98e44af5bdd4eec6690bb6476e3d7e0495afe4d19e5352823d57a7915c43b7b6fce44f3af38b7918d1f8993a357d4d712e151
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-