General
-
Target
invoice_7_812937_pdf.ppam
-
Size
40KB
-
Sample
220923-hkr7vahdan
-
MD5
0e53abb39e7f2e3a1fcfbd49dbebbb06
-
SHA1
ceae24d2c19181149f97bd012df151824c92a509
-
SHA256
c639cb71b586b5468a37ece7afc56c2b9653f15021a9ecc83e6428c744ac99b8
-
SHA512
d46fecf342da7300640084199b9f9a8277f949b31aa8fb171cb1b272ce2b0f563c6d5de063642112a1de4f31f0c3f9783a45f499087ea5de400ec4ac0ea3a669
-
SSDEEP
768:eARJ/c/lsTsK/n/Okf6R9/i/L2pdAVQuLPdYIhjtzCNKJAlFCgwZHyTZigXJ1/hB:eAXkt09fmj7ajvZqvzP/CoB91/K8NytQ
Static task
static1
Behavioral task
behavioral1
Sample
invoice_7_812937_pdf.ppam
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
invoice_7_812937_pdf.ppam
Resource
win10v2004-20220812-en
Malware Config
Extracted
https://www.bndsafety.xyz/p/7.html
Extracted
Protocol: ftp- Host:
107.182.129.168 - Port:
21 - Username:
asasbvvryr7 - Password:
zxzxzmn
Targets
-
-
Target
invoice_7_812937_pdf.ppam
-
Size
40KB
-
MD5
0e53abb39e7f2e3a1fcfbd49dbebbb06
-
SHA1
ceae24d2c19181149f97bd012df151824c92a509
-
SHA256
c639cb71b586b5468a37ece7afc56c2b9653f15021a9ecc83e6428c744ac99b8
-
SHA512
d46fecf342da7300640084199b9f9a8277f949b31aa8fb171cb1b272ce2b0f563c6d5de063642112a1de4f31f0c3f9783a45f499087ea5de400ec4ac0ea3a669
-
SSDEEP
768:eARJ/c/lsTsK/n/Okf6R9/i/L2pdAVQuLPdYIhjtzCNKJAlFCgwZHyTZigXJ1/hB:eAXkt09fmj7ajvZqvzP/CoB91/K8NytQ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-