General
-
Target
abd261879ff1611f42e267980489b5b90cc5d8f1e8317fb118b58d9bc15a1db5
-
Size
282KB
-
Sample
220521-nrbrbsead7
-
MD5
5b1b28b04412ad1d949e3cb70a7483ee
-
SHA1
02190bed36fc1fce02e3d2ffdee381062c7ba286
-
SHA256
abd261879ff1611f42e267980489b5b90cc5d8f1e8317fb118b58d9bc15a1db5
-
SHA512
24ab122f1195556c9e1a8e1ab7f7c395fa3e15765b6d21f7fb5e32286d0d3da1c240c464cead5781aa80e26e82e4bb59a38894cb762c95daf48e5a2448bdf9e8
Static task
static1
Behavioral task
behavioral1
Sample
PO20200716-July.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO20200716-July.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
realmen2020@yandex.ru - Password:
zS8ZQ88MrxAbUtE
Targets
-
-
Target
PO20200716-July.pif
-
Size
666KB
-
MD5
32b3a0cf4205e5e48691c110aa082d1e
-
SHA1
4ec9cce9ec3a012e53e9b116d40f7506c4632e14
-
SHA256
95cc09bf84b557baa4ce240a6034d1169e12f4268bf9041c4116f149f7603afe
-
SHA512
29d351454db9aa84a18704659f89ffa148df0fa5483f4ad2a9e127411862eddad35a073ab1d6feb2c3e00a746f063cdd12972259d5600700994f827819721639
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-