General
-
Target
3dd70997634cf1fa38ef4b476bf7ca5b88930b5bc69f37ad12df8013b110878a
-
Size
511KB
-
Sample
220520-3dadnsbfcl
-
MD5
0104adee808048e24eb685ac0b2e1d3d
-
SHA1
ac171f598a8c2da4d7c3fa12abc8bbc07c87ca0a
-
SHA256
3dd70997634cf1fa38ef4b476bf7ca5b88930b5bc69f37ad12df8013b110878a
-
SHA512
b671927c7c6d5fa7b9671706357598bdeedbc09dd6ce69e4c899933e5ef956fdf280261e5ea1695db9686c572dda0b82a093bbd1d964dda03f786a370d50c54c
Static task
static1
Behavioral task
behavioral1
Sample
DOC.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.palcoman.com - Port:
587 - Username:
[email protected] - Password:
GgwWVBJ5
Targets
-
-
Target
DOC.exe
-
Size
687KB
-
MD5
95cbcdfe7d89c89c759303a0e845d8b1
-
SHA1
3950ee91663e1142e889208c474ebc7d36995d5c
-
SHA256
f82fcb01f1334b2885bc090c3bc8bc587f64919b9739e95ffe12c9e5d5bc11cd
-
SHA512
c00438306fe5bfae406db98ea71779745ebbe4643c2993fb12a47a13dca2de5c71ec40a81cbf8d9e7ad3901b6921ef9e46d7bd01d597c89df6a494ed20493e31
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-