General
-
Target
ae0f990ac79ae98e70a050cb2fe298a269f46974d9d6cb33f4138e8f693f309b
-
Size
269KB
-
Sample
220520-3al83abeaq
-
MD5
df0b860dd503ecd282fd5238f13ad8d0
-
SHA1
75b3d23945ad362970969a77c6d12f23af1ab93a
-
SHA256
ae0f990ac79ae98e70a050cb2fe298a269f46974d9d6cb33f4138e8f693f309b
-
SHA512
dbfc2f956cedc59d3eeb7cefeec24d6241d291fd28c9432084b1d83cb19556f4022345df182305f9f78aa502c46c5cb618f42fa7138e0d670903388dc8a1a43c
Static task
static1
Behavioral task
behavioral1
Sample
RFQ86437C.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
RFQ86437C.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
benneth1975@@@@@
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
benneth1975@@@@@
Targets
-
-
Target
RFQ86437C.exe
-
Size
806KB
-
MD5
bb177815728b49fd39053b643826b5cf
-
SHA1
ca54b0b08a6f994e4594573ca4729cce88be33c9
-
SHA256
5fac93ed0fd840cedfc559b7f2285ad384004e78fd53178b09bef6b13db08b84
-
SHA512
ee2f8da0d4d9e00085ca368c38be1d9fa024fa541b094d26d44077202ffb8f6c9475fad02a5f8c293b93dc6b1838325017bf611e40da25ec44e4f47f546f5d82
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-