General
-
Target
9888c457740377c7aaa34b743985c151226fab832c3dabddf9a5c43352eff34c
-
Size
508KB
-
Sample
220521-cykr2ahgdm
-
MD5
b121e6108cfe6c1edf9eea84fde21566
-
SHA1
656ea4c6fa0ea4b8317174a638b5361967eeeca9
-
SHA256
9888c457740377c7aaa34b743985c151226fab832c3dabddf9a5c43352eff34c
-
SHA512
1e8445996c5a7ca93112ef51721f3ed9d9a7df6363f4f10c4bcf5b222948d0f91f34e8d4b77d3369699e4322f60b941961943da16312ac1ca509a9b012c813ad
Static task
static1
Behavioral task
behavioral1
Sample
Ralson payment slip.pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Ralson payment slip.pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pro-powersourcing.com - Port:
587 - Username:
[email protected] - Password:
china1977
Targets
-
-
Target
Ralson payment slip.pdf.exe
-
Size
550KB
-
MD5
cb6edb483fbed56eeb55c8cdf8729d6a
-
SHA1
ef5b5ad700ae044299f46f480817515f12093a8b
-
SHA256
7582634a83ef1c1bf123347b22852b93f134b6b97f10aaffa2aebd5df7b920e9
-
SHA512
f6bd7ee2f9194e9f73caa1585b9c17711906f3249e9c9bd91ebdc8991ff82587f04012d73c47a72df841e6a0429eb0c47b0a0a8d3524c64de83817164b3eff97
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-