General
-
Target
7de5607a4d813b02830c68e50fcef26e5a647865d5ba65e4a2fa6b57b940c038
-
Size
376KB
-
Sample
220206-zhwwpabhdp
-
MD5
c054272141305595d7c39457d58e857e
-
SHA1
b863c5f2a8bbc81a1fc9c2e265602be6f14169ca
-
SHA256
7de5607a4d813b02830c68e50fcef26e5a647865d5ba65e4a2fa6b57b940c038
-
SHA512
8b0e5016efa6f2da909c05bf2247d17277197fa061ad686027148c8f0dac6cf501e9f3fc7d3f21474fb94066ec9072dc64042430befd85b753ed1bb20c1448e0
Static task
static1
Behavioral task
behavioral1
Sample
ITEMS_LIST.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ITEMS_LIST.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
nVNnX!S0
Targets
-
-
Target
ITEMS_LIST.exe
-
Size
315KB
-
MD5
d3bc29cf09e1a64461a29ac2fab29aef
-
SHA1
f23f0dca5dec04e538246c69ee6635f0e0c62591
-
SHA256
94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc
-
SHA512
7f9084aa1fd382f615a949504d4ce15f53e0d10af5c779b2252ffcadc83ff0d4dc613b8f38eafd0a932aee4db881d83b91b7c667c9348ef6f16fae050acf55d6
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-