General
-
Target
12604641281011e9afe4a10e1d2e4729ad39f0cd.zip
-
Size
1.2MB
-
Sample
211014-pgekxahee3
-
MD5
1a8013eac7aad5bd9190df0a623fd62b
-
SHA1
12604641281011e9afe4a10e1d2e4729ad39f0cd
-
SHA256
4ba81036ae68eb0b4e5e5528e1109e39d9f94684de3903eb714009293a4a750c
-
SHA512
6fab1a3c751298d29060b48a519c67e064df583c030101252b4df68be798d1ee126eb0ddfc06622530d315170cb0ac791726bd00a9d6a9e2c2045c3e2c7fe580
Static task
static1
Behavioral task
behavioral1
Sample
2145RFQ14102021.rtf.lnk
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
2145RFQ14102021.rtf.lnk
Resource
win10-en-20210920
Malware Config
Extracted
formbook
4.1
en
http://www.alliancefb.com/support/en/
fortezza.tours
unicornoptical.com
freezeframegame.com
osocrossfit.com
cutass.com
zhongrisk.com
seasandoman.com
global-care-recruiting.info
whenwesaywehaveitwedo.com
mithlapainting.com
sandringhamdarlington.net
futurevalleycontracting.com
goochandhousego.pro
valentindimitrov.com
maple-events.com
yourcreditchoice.com
virginity.bid
electricindians.com
intlgcap.com
ternionathletics.com
careymillersells.com
xn--sh5b25a34h.site
aadetermatology.com
bobosugar.com
flamingflavor.com
diamantverkauf.com
vicdux.network
colonhydrotherapyphila.com
darrenwongproperties.com
loisechly.com
mevlanaspot.com
erasethenegative.com
portaltonepal.com
portlandbuyback.com
academyofpods.com
birdofwisdom.com
littlehousenursery.com
xizled.com
betrayk.com
otisaffiliates.com
soyinyue.com
yourtownwebsite.com
three-rebels.com
gaso3.com
dreamcricketers.com
radiovtochq.com
pyrosoftgaming.com
uswebrootcosafe.com
zhongyingshangcheng.com
builtforthegreen.com
letskillracism.com
radishmehealthy.com
surferfin.com
preownedjamesavery.com
bestpottywatch.com
malwinamakeupartist.com
casino-players.com
emilyduffin.com
amiracle2remember.com
stevejackson2020.com
attenutechusa.net
gmslebanon.com
bostae.net
rangefish.com
Targets
-
-
Target
2145RFQ14102021.rtf.lnk
-
Size
5.4MB
-
MD5
85e44c6e99f5f4043fc2c993b6fa633b
-
SHA1
21b3e0a10dd9798ef71fe073cdad7cfdadbfdeae
-
SHA256
62fab79e945bc629c110f21c9db37c8c0cc441ad15e73c1c1349fbef986b3789
-
SHA512
7c2f7183d40ac7bab91fa1a572c625e38e8f7ec848d54b7a937b6a33acc5868df3af72ae3a6187e8720303ff7aa7d00e7895ff77adfd504d8b394dacb34d30ff
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Formbook Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-