General
-
Target
code.ps1
-
Size
138B
-
Sample
220930-3trynafbc8
-
MD5
efa136867081936967a0ac27271b2fda
-
SHA1
756f0d9e09882c8531618458e5d582fd5b46fbad
-
SHA256
e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e
-
SHA512
77e76132c86321792cb621cc9c9f298b59a6ee813553fb2199a1ea82c60549c95c38ed0574c25b40faecfcccdd7931134fae8817fa8ac30c0eb405e4a2eed711
Static task
static1
Behavioral task
behavioral1
Sample
code.ps1
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
code.ps1
Resource
win10v2004-20220901-en
Malware Config
Extracted
https://bitbucket.org/!api/2.0/snippets/tinypro/yEG5xg/87f5d9d29b55f427e764f574f85ffdc00d4e918b/files/black2.txt
Targets
-
-
Target
code.ps1
-
Size
138B
-
MD5
efa136867081936967a0ac27271b2fda
-
SHA1
756f0d9e09882c8531618458e5d582fd5b46fbad
-
SHA256
e4cda1631a3df7932fb319567b2696e096d1f59f66a6d1611436217943bd692e
-
SHA512
77e76132c86321792cb621cc9c9f298b59a6ee813553fb2199a1ea82c60549c95c38ed0574c25b40faecfcccdd7931134fae8817fa8ac30c0eb405e4a2eed711
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Registers COM server for autorun
-
Accesses Microsoft Outlook profiles
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-