General
-
Target
8d3fe61298bc4342e3c45b69015271807db0e851b6f34800b37435cc8867179c
-
Size
263KB
-
Sample
220521-ph7cbaafak
-
MD5
57dd082e3ba774aff9d572675a939ec3
-
SHA1
46f2b05fd3fbb75865c8d27725b3b0a5e9d52e7b
-
SHA256
8d3fe61298bc4342e3c45b69015271807db0e851b6f34800b37435cc8867179c
-
SHA512
bf31b85d051d67ff0f1649786f22fdb7f03e31e8e43a3ccf2e7fec20b4d122d3e02bed2d4a92b9d1b11c12668583fbbbc634f5684217fc3bd4c909acccc347ce
Static task
static1
Behavioral task
behavioral1
Sample
Doc-94220990687845334878-109.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Doc-94220990687845334878-109.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.chenklins.com - Port:
587 - Username:
kelv@chenklins.com - Password:
7AY8Uj[tEN)a
Targets
-
-
Target
Doc-94220990687845334878-109.exe
-
Size
612KB
-
MD5
369a4d5f137e2aaf60e20d636f77b743
-
SHA1
8cbdcc5df2d74e92a3f18138303af8a789e44ecc
-
SHA256
f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b
-
SHA512
b0a2ad49496de1cadb9b181ec263fa76cafbea3e7b4c221237ab07e7ad8b71f1c2d382d6843005d01a7f993b25fd685eb15ea499439303fb894a4f710856fff0
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-