General
-
Target
PO_SHZ4128332S.IMG
-
Size
1.2MB
-
Sample
211019-nlynxagfcn
-
MD5
496c3cdb328fb65d9a7f7a8136461159
-
SHA1
38bf6cb84e8d1cd8e08c244ff210483377ed405c
-
SHA256
175e981a152c22c1c3503285b4d1d2d1837f2119116881838f27d9972f63d8ad
-
SHA512
6c85e768a9430d37acec8fff60fd3dded937927aa6d1da2cc930e111a70f761392cf86dc8b8cc833fe54365cae3e7940844a0c85383985b1f5cfa1f4d0cbab5a
Static task
static1
Behavioral task
behavioral1
Sample
PO_SHZ41.EXE
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
PO_SHZ41.EXE
Resource
win10-en-20211014
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
xxxlahot2
Targets
-
-
Target
PO_SHZ41.EXE
-
Size
72KB
-
MD5
410cce7e5da174865ae1c5d65458d92c
-
SHA1
0ea38171202123c4f0115cb5cefc578bc0b664a3
-
SHA256
8dc1640499a6b1cac921adb0e5899e2fe02f4902b2f6acfa5d4f7c2f277e54cc
-
SHA512
f7eca94b7ec65a7e932d0faeb37703c716b5856f71a696378c01e44ea3c4749b10892e877f4efc75797319648fbe77ad143cf53ba01f4324eb76e4be32128a20
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Turns off Windows Defender SpyNet reporting
-
AgentTesla Payload
-
Nirsoft
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-