General
-
Target
PO.219684 & 220390.exe
-
Size
794KB
-
Sample
210728-53me7l3we6
-
MD5
02d4adfdc7ef2416ac57c7f841a71ada
-
SHA1
ae59002c22a8ebf5aba7efea1fdd964a2ede4cb5
-
SHA256
c07013fbf8908de6e011f147b5470db2df3465642582849d368233675a77fc99
-
SHA512
5e1de1cd07862e26831a418f9e922d857d6b5f8811e66ba0887c3f268f17ef27133746a599c47e31ab72d0f7591e91d1025c18145904423f30ebc2a95e998f81
Static task
static1
Behavioral task
behavioral1
Sample
PO.219684 & 220390.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO.219684 & 220390.exe
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.moderntelco.com - Port:
587 - Username:
[email protected] - Password:
Sales@123$%
Targets
-
-
Target
PO.219684 & 220390.exe
-
Size
794KB
-
MD5
02d4adfdc7ef2416ac57c7f841a71ada
-
SHA1
ae59002c22a8ebf5aba7efea1fdd964a2ede4cb5
-
SHA256
c07013fbf8908de6e011f147b5470db2df3465642582849d368233675a77fc99
-
SHA512
5e1de1cd07862e26831a418f9e922d857d6b5f8811e66ba0887c3f268f17ef27133746a599c47e31ab72d0f7591e91d1025c18145904423f30ebc2a95e998f81
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-