General
-
Target
220317-pcwnmadeb6_pw_infected.zip
-
Size
377KB
-
Sample
220317-pgntksdef4
-
MD5
bc9eb54c14073f64e7f571b6a049bd9e
-
SHA1
d6a34b17bd157a4eb55a0a954a6e9bfd9193a14e
-
SHA256
cb03d01cbf3783e1d19e26a1f2ff55ce711b53df64b4ddad68367a2ea1bc6a4f
-
SHA512
c056e31513bb253541e4141a854220119d1cbef94f27dcc21e4f9fb89d13f97dc49f0814b1cc6bd0385f6aa6d040f75d88ad8b68114a246f14ae9be8b23ed089
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Document PL&BL Draft.exe
Resource
win10v2004-de-20220113
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
msonsgroup.in - Port:
587 - Username:
[email protected] - Password:
flex2424@ - Email To:
[email protected]
Targets
-
-
Target
Shipping Document PL&BL Draft.exe
-
Size
1.9MB
-
MD5
94fbe5a58977c921436351766164d747
-
SHA1
ca7b58e4d9b4caeafa1f772e56a93363a07f6a65
-
SHA256
8cbf496620e93736005fc69b9eb0f162e4e716786ab5e29e94ead94bf496cd02
-
SHA512
9f11edd872bb117c1ca00bed355876ff9d87618604675aeb4988cb957d38a2bf820050cf2f4ecaf4301bcd73556d7b06a135d848d01d8bc6713a5d001baaa3a8
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Registers COM server for autorun
-
AgentTesla Payload
-
Executes dropped EXE
-
Sets file execution options in registry
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Creates a Windows Service
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-