General
-
Target
3e9cbc4216bc44f59138e146415578bdd2af80c3f9dbb198b521cbf6e5ecd656
-
Size
512KB
-
Sample
220520-3c9gdabfcj
-
MD5
53beebb74e84f9a8e912adc50c4c613f
-
SHA1
65e21475b2472c8b76706f0ba632c9f4e3274a88
-
SHA256
3e9cbc4216bc44f59138e146415578bdd2af80c3f9dbb198b521cbf6e5ecd656
-
SHA512
4abdf20af7019d2bb794a07a47290321308f24b9031ca803e2779a3d999f9440d15c28e3190983ad4bd2d533fcfb86c61f219f2e64b4244a1c01c538c4ed576e
Static task
static1
Behavioral task
behavioral1
Sample
DOC PDF.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC PDF.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.palcoman.com - Port:
587 - Username:
[email protected] - Password:
GgwWVBJ5
Targets
-
-
Target
DOC PDF.exe
-
Size
687KB
-
MD5
95cbcdfe7d89c89c759303a0e845d8b1
-
SHA1
3950ee91663e1142e889208c474ebc7d36995d5c
-
SHA256
f82fcb01f1334b2885bc090c3bc8bc587f64919b9739e95ffe12c9e5d5bc11cd
-
SHA512
c00438306fe5bfae406db98ea71779745ebbe4643c2993fb12a47a13dca2de5c71ec40a81cbf8d9e7ad3901b6921ef9e46d7bd01d597c89df6a494ed20493e31
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-