General
-
Target
7180c696cd1ba7b42913cbbcdbdb52631e568308d94cf7b36da1fed6c00b9278
-
Size
527KB
-
Sample
220521-nbwrkagedp
-
MD5
32bb42e3fc22a36b1ea958e0601fe076
-
SHA1
7dc76aceb65fb8c400521b09b0a3e2dcf4fc7d63
-
SHA256
7180c696cd1ba7b42913cbbcdbdb52631e568308d94cf7b36da1fed6c00b9278
-
SHA512
0fab905844915f7820bc3518befa0f5a80df36868dbe2fc12b79d56e31bfae51940ebd590b6dc867efcd904d54d64c4962a8a4521369d689412599c50d1be378
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
QUOTATION.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.ritac-eg.com - Port:
587 - Username:
ugoblaq@ritac-eg.com - Password:
YM%dNtj2
Targets
-
-
Target
QUOTATION.exe
-
Size
579KB
-
MD5
604108d0607c37fef45d876d0f4d834c
-
SHA1
680b0c8b2f76e0b47f4d37c75f9b7cc1797f9cce
-
SHA256
b7a6f698d55b81c17148ab01aa383457174788d2448d6a6df8e0d9db3c77dd12
-
SHA512
1eb51f42346da4d49e20edc0446c7783838600901489ebe98aecfe1020a0d773d2b8f089852e47f9c4212728fcc5cee4ee1ab08341dcc4bfa02a072d81565fcb
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-