General
-
Target
pay in receipt.doc
-
Size
87KB
-
Sample
210727-q4j1dgxr6n
-
MD5
10c55ac6b300e7e64a787ecd1ee95de5
-
SHA1
d958db330fc03846193371c52ec959ef3f310705
-
SHA256
517eb00d2c56a5f1f083dcf451664a95cd3732ba4335792dddacb0ed12111613
-
SHA512
aede5abf1e74c0215ba78fb3173629c2defe576a99d6461589d0f388a0456b5d5a2019c9621f44ca3df7e83ebe7e48b4ddb65cf8f397bb990f1a3e7b440a4eca
Static task
static1
Behavioral task
behavioral1
Sample
pay in receipt.doc.rtf
Resource
win7v20210410
Behavioral task
behavioral2
Sample
pay in receipt.doc.rtf
Resource
win10v20210408
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sodag-agricole.com - Port:
587 - Username:
[email protected] - Password:
agricole**sodag+1990
Targets
-
-
Target
pay in receipt.doc
-
Size
87KB
-
MD5
10c55ac6b300e7e64a787ecd1ee95de5
-
SHA1
d958db330fc03846193371c52ec959ef3f310705
-
SHA256
517eb00d2c56a5f1f083dcf451664a95cd3732ba4335792dddacb0ed12111613
-
SHA512
aede5abf1e74c0215ba78fb3173629c2defe576a99d6461589d0f388a0456b5d5a2019c9621f44ca3df7e83ebe7e48b4ddb65cf8f397bb990f1a3e7b440a4eca
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-