General
-
Target
135d2c94647886d894ee45ae70ac9d0accad9860ff5c4b29397489783f56d794
-
Size
463KB
-
Sample
220521-py62gsbebj
-
MD5
71f73f067e32b7a3e0ea01fc73135f8e
-
SHA1
b7be48737d5ff3e0500b12a618ec5e83514079ac
-
SHA256
135d2c94647886d894ee45ae70ac9d0accad9860ff5c4b29397489783f56d794
-
SHA512
7776a67ed5ddadfd4336c4e8ff44f62f72699212ae79181c5e5ee442913a2e8e51f77f6c5bf943a092b2fdced98d56f431af39ddd32bfd4992afbb3c1d853607
Static task
static1
Behavioral task
behavioral1
Sample
DOC.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DOC.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.varda.com.tr - Port:
587 - Username:
info@varda.com.tr - Password:
varda9997929
Targets
-
-
Target
DOC.exe
-
Size
756KB
-
MD5
91d8c3dbdbe3db1041f438046e1bc0e0
-
SHA1
6bdc2ac56290abdc35be53cdc1e697166c203d81
-
SHA256
fe200cf4827d467a2915295f0b092c7afedfc13dde1381a74bb884e2baceb44c
-
SHA512
9b466c84d0c0815ead8c5691946a474daa9db3e823680acb9d0d189412b3e7dc10ecd6f1eb062637946bcef7ce1b54a1167d8c0f2abbd218c6bacb1155777e70
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-