General
-
Target
quotation#247833.pdf.exe
-
Size
612KB
-
Sample
240328-qmctyagc32
-
MD5
52bbe58331758dd37f776189080a5ead
-
SHA1
2542cfdfee6da01c4657c13b3327ebf6f91d42da
-
SHA256
825a37255a61598eaa9eb15897dbc89f7e3637193c4e17775fbbc145ca523528
-
SHA512
a99a78ccc4ccc8fd2797d4f2f2c766c9043dd1dbbc7a588680d0472c43c44a78e31212c38f1753196cf0609e65b079b12656a59a934ae36ed4ff3e4f9312e5b8
-
SSDEEP
12288:S5+SDlnIqMoroxB4559YxaxO2b0NJk+mYRSn9//kcCR8gyn8M4Rxg:CzM7xy559YxaxT0NJkiRU+cCR8VD4fg
Static task
static1
Behavioral task
behavioral1
Sample
quotation#247833.pdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
quotation#247833.pdf.exe
Resource
win10v2004-20240226-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
email.globeauto.in - Port:
587 - Username:
ch02a_warranty@globeauto.in - Password:
Mohali@@1# - Email To:
omdbox@protonmail.com
Targets
-
-
Target
quotation#247833.pdf.exe
-
Size
612KB
-
MD5
52bbe58331758dd37f776189080a5ead
-
SHA1
2542cfdfee6da01c4657c13b3327ebf6f91d42da
-
SHA256
825a37255a61598eaa9eb15897dbc89f7e3637193c4e17775fbbc145ca523528
-
SHA512
a99a78ccc4ccc8fd2797d4f2f2c766c9043dd1dbbc7a588680d0472c43c44a78e31212c38f1753196cf0609e65b079b12656a59a934ae36ed4ff3e4f9312e5b8
-
SSDEEP
12288:S5+SDlnIqMoroxB4559YxaxO2b0NJk+mYRSn9//kcCR8gyn8M4Rxg:CzM7xy559YxaxT0NJkiRU+cCR8VD4fg
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1