General
-
Target
004_ORDEN DE COMPRA 80107.PDF.exe
-
Size
185KB
-
Sample
220119-jan8wafhfn
-
MD5
2b994636254e2a45d7feeec62a6c4294
-
SHA1
43be6c536cfc0edcd2d1a335abcc0110f7fe2b6c
-
SHA256
2eb62d09e301701921e3f7a70aacebdaef1ad8cd55c600adc6005a17e7607edc
-
SHA512
3dcda0effe13ee3acff1408279cd514b85cb193c861d64fa831694ec42c1ea669d9eeb45362bc23e149c739ad6cc54678258d7d766f6b9448afa52cbe2566605
Static task
static1
Behavioral task
behavioral1
Sample
004_ORDEN DE COMPRA 80107.PDF.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
004_ORDEN DE COMPRA 80107.PDF.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.gettoner.com.mx/ - Port:
21 - Username:
droid@gettoner.com.mx - Password:
fedxunited543@
Targets
-
-
Target
004_ORDEN DE COMPRA 80107.PDF.exe
-
Size
185KB
-
MD5
2b994636254e2a45d7feeec62a6c4294
-
SHA1
43be6c536cfc0edcd2d1a335abcc0110f7fe2b6c
-
SHA256
2eb62d09e301701921e3f7a70aacebdaef1ad8cd55c600adc6005a17e7607edc
-
SHA512
3dcda0effe13ee3acff1408279cd514b85cb193c861d64fa831694ec42c1ea669d9eeb45362bc23e149c739ad6cc54678258d7d766f6b9448afa52cbe2566605
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Accesses Microsoft Outlook profiles
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-