General
-
Target
rNewPOSPL036570_pdf.exe
-
Size
322KB
-
Sample
230403-pl98dagb9t
-
MD5
7105b90fb38cbfb87c81324292b69102
-
SHA1
9b6347e063466a4cb98745a12322597dbb3fc089
-
SHA256
c1fea3070e2c0836fee930ce393a597e18a4c383a4ba007700d638f6a956da2c
-
SHA512
265e741b66c863ed3bb5e7c372942e1da81ffd40dce50a0f7f9e51b064b748bf77b1f64cf29f78213d180fc8f78477d1e079e7b22d7c3f723074cd173987f1a9
-
SSDEEP
6144:/Ya6rJVwps42oP2koYyBKxcUu+oR7KavJ33iyKg/fJC8mD7sKdLthJXYeVpdA8zi:/YBspseXZXxcvUaRnIGfJ0zphJI
Static task
static1
Behavioral task
behavioral1
Sample
rNewPOSPL036570_pdf.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
rNewPOSPL036570_pdf.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ubduipymcemperot
Targets
-
-
Target
rNewPOSPL036570_pdf.exe
-
Size
322KB
-
MD5
7105b90fb38cbfb87c81324292b69102
-
SHA1
9b6347e063466a4cb98745a12322597dbb3fc089
-
SHA256
c1fea3070e2c0836fee930ce393a597e18a4c383a4ba007700d638f6a956da2c
-
SHA512
265e741b66c863ed3bb5e7c372942e1da81ffd40dce50a0f7f9e51b064b748bf77b1f64cf29f78213d180fc8f78477d1e079e7b22d7c3f723074cd173987f1a9
-
SSDEEP
6144:/Ya6rJVwps42oP2koYyBKxcUu+oR7KavJ33iyKg/fJC8mD7sKdLthJXYeVpdA8zi:/YBspseXZXxcvUaRnIGfJ0zphJI
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-