General
-
Target
f1f18b0a7efd6702ce47f9bea620165785050d55074d6ae27e6a6ff4322f6ad3
-
Size
331KB
-
Sample
220521-ex3ybshgh8
-
MD5
788dbf576e0a2674990aca2e9360b270
-
SHA1
dd4485960723c552b40decf3592d92c29b22c2fe
-
SHA256
f1f18b0a7efd6702ce47f9bea620165785050d55074d6ae27e6a6ff4322f6ad3
-
SHA512
1a9134d2dc68e07e33c98be06c9081b383893d181f7db4f9d8455ecddd226be47e2f4404619aaaffd940a81c12e0640102f3837e698b24cb0cdf757eb51b6a8b
Static task
static1
Behavioral task
behavioral1
Sample
hesaphareketi000,pdf.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
hesaphareketi000,pdf.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.slbdc-lk.org - Port:
587 - Username:
[email protected] - Password:
finance2017
Targets
-
-
Target
hesaphareketi000,pdf.exe
-
Size
938KB
-
MD5
1d77691991b358cddb9e88b28380b124
-
SHA1
e815d27cdf5fde77c3ac60388408bb27304dc75a
-
SHA256
a9892834c6f030fd7a292b213a39270e2fc991b6c9287fff73b540dd2b36e290
-
SHA512
6660827d12b5e21f9116ea5cbf48e484e95c3fdc41969a3a9e78677c29c36768f8652656c126007814db8d27d242d7bc748ece8a26f179da24a57036048fdc0b
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence
-
Modifies visiblity of hidden/system files in Explorer
-
AgentTesla Payload
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-