General
-
Target
Picture.exe
-
Size
918KB
-
Sample
210727-jyxyr89dys
-
MD5
cf43b0fc3cf4393bb542bd212a1af029
-
SHA1
44ff1cbf0831d6176bd6e98a46f354800e9d09d0
-
SHA256
5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e
-
SHA512
5279f393b145d8a4b0672ce5f75f8f777919e0b82ff3a7c3637e5753194fbbd4ace3a173e77d670ad7ab7f0d3cf5a33b65a3bb047cb16349178aea137382e04c
Static task
static1
Behavioral task
behavioral1
Sample
Picture.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Picture.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1802838691:AAHG-LDFE4ym6sqdeNCoNwT9JyuuNVsehko/sendDocument
Targets
-
-
Target
Picture.exe
-
Size
918KB
-
MD5
cf43b0fc3cf4393bb542bd212a1af029
-
SHA1
44ff1cbf0831d6176bd6e98a46f354800e9d09d0
-
SHA256
5d7566ee48f7c1525a1d0e5cf2e5463929d7ad9fe55519acec2a4fcb19507f7e
-
SHA512
5279f393b145d8a4b0672ce5f75f8f777919e0b82ff3a7c3637e5753194fbbd4ace3a173e77d670ad7ab7f0d3cf5a33b65a3bb047cb16349178aea137382e04c
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies system executable filetype association
-
AgentTesla Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-