General
-
Target
RFQ-2201847.xlsx
-
Size
2.1MB
-
Sample
210728-nkb1vdh5vs
-
MD5
7835c3614e688a977aeb63cafdd04d23
-
SHA1
c6b11868797ad66a460030da17c76f5eeee8bbda
-
SHA256
ddb6e90b3fd4767a65a7d190e7dda1994108c268e94efe307be80e6cce56eda2
-
SHA512
cd53a0cef5f0da591330a79fd6b8420005b252a49ad8c9806f7d904c89c045b5b7deb67971132a5f297d32a67f403372f19690b6c3ded900e28eebd9a9558e5f
Static task
static1
Behavioral task
behavioral1
Sample
RFQ-2201847.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RFQ-2201847.xlsx
Resource
win10v20210410
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Rollingstone147
Targets
-
-
Target
RFQ-2201847.xlsx
-
Size
2.1MB
-
MD5
7835c3614e688a977aeb63cafdd04d23
-
SHA1
c6b11868797ad66a460030da17c76f5eeee8bbda
-
SHA256
ddb6e90b3fd4767a65a7d190e7dda1994108c268e94efe307be80e6cce56eda2
-
SHA512
cd53a0cef5f0da591330a79fd6b8420005b252a49ad8c9806f7d904c89c045b5b7deb67971132a5f297d32a67f403372f19690b6c3ded900e28eebd9a9558e5f
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-