General
-
Target
documents.zip
-
Size
671KB
-
Sample
220521-sdbavsdafl
-
MD5
d08f6f521536d1434fabc0266916be13
-
SHA1
fdb2f355d998805fa3f6dfaf53b7b954a0557400
-
SHA256
fce53b44b84508ba4e7acee4d1bbf06969b4195a23df372bedc6540714a994bd
-
SHA512
ed57c6d4a014a81efbb882c169cf65a105f7899214f75ba8457d72c0120de004ca594bf6b08c7b84df19ad7f24b977716f0005b739b5f729eec57e4b65d9120c
Static task
static1
Behavioral task
behavioral1
Sample
documents.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
documents.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
Protocol: smtp- Host:
mail.subnet-group.com - Port:
587 - Username:
edna@subnet-group.com - Password:
cr0cksh1t
Extracted
agenttesla
Protocol: smtp- Host:
mail.subnet-group.com - Port:
587 - Username:
edna@subnet-group.com - Password:
cr0cksh1t - Email To:
eh746746@gmail.com
Targets
-
-
Target
documents.exe
-
Size
787KB
-
MD5
c2a0577aead47c20d54918758c471247
-
SHA1
ffc6087cc7e098e74bd5efb3f6971342d5c1f12b
-
SHA256
0918c0111b97f8a25e9717e9b74a96c85e9f3801e2922bb050e8024edf9adff0
-
SHA512
1024c14e1fe279887e80b2f4d4b4423ef943bf6355f762b3a24cd6964e2350e77a2e0c43c0478a37fe46a8253f5866e4793dfd7225066e716e6165d623b4c84a
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-