General
-
Target
Purchase orders with bank details.ppam
-
Size
8KB
-
Sample
211018-yhjqpaeee2
-
MD5
ba36220554ab830aad2ce4f4a0a2acb4
-
SHA1
f54bb00c862d0f1f0e883e691a87da8285e1997b
-
SHA256
da7b242a5fac33fd8bc5ad7650f4e0a946b0b07c01a239d778ec289c63b5be18
-
SHA512
96809ecdef0947de44e08447ee4add90a62a5be111d0df8348d747e595b29879d12866bab3bd9011084946194d1b8a8a9a44920fc1689697767e38aef1339633
Static task
static1
Behavioral task
behavioral1
Sample
Purchase orders with bank details.ppam
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Purchase orders with bank details.ppam
Resource
win10-en-20211014
Malware Config
Targets
-
-
Target
Purchase orders with bank details.ppam
-
Size
8KB
-
MD5
ba36220554ab830aad2ce4f4a0a2acb4
-
SHA1
f54bb00c862d0f1f0e883e691a87da8285e1997b
-
SHA256
da7b242a5fac33fd8bc5ad7650f4e0a946b0b07c01a239d778ec289c63b5be18
-
SHA512
96809ecdef0947de44e08447ee4add90a62a5be111d0df8348d747e595b29879d12866bab3bd9011084946194d1b8a8a9a44920fc1689697767e38aef1339633
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-