General
-
Target
777d84fb9c04deadd763e2a7ff06e4a594461a20d238da9abd22b9b9d82d97d9
-
Size
551KB
-
Sample
220520-2ese7sfbh8
-
MD5
7eb52a3aaa3a4ba752723240aeface43
-
SHA1
2bc918c660358730e88fd6f6346a0f2bc7071803
-
SHA256
777d84fb9c04deadd763e2a7ff06e4a594461a20d238da9abd22b9b9d82d97d9
-
SHA512
dc6b88fc732f6b8f769a64783830a07637c32040d5f012afcc478dbe8dd37013151a7243462f9c7b03f997fd5b4ed5c26d17700152bca928a0663537b62055c5
Static task
static1
Behavioral task
behavioral1
Sample
RFQ Order - Mediform S.A_pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ Order - Mediform S.A_pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.turblneservices.com/ - Port:
21 - Username:
[email protected] - Password:
90opklnm@123
Protocol: ftp- Host:
ftp://ftp.turblneservices.com/ - Port:
21 - Username:
[email protected] - Password:
90opklnm@123
Targets
-
-
Target
RFQ Order - Mediform S.A_pdf.exe
-
Size
757KB
-
MD5
703768db14ef6f320717c372f11f91b0
-
SHA1
6502f1b42595f1c7c0fdafab681e6f66ec59222e
-
SHA256
e72bbdfcc56339eb2aca00e01162d7fdd1004d9992150f2dea1b014d6b4469ac
-
SHA512
8e28874a6c1a3b19395060875c3591a878f4110accc91ec021f552f6f8a71f56fb0a3e549c48c55d5cabc3a0a87174ff31ef9310c03e5f512f29b4b726cdb83a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-