General
-
Target
c63cbdfeaddd4e1867b5d9aedf4b77dd.rtf
-
Size
69KB
-
Sample
240427-h9hppsed8s
-
MD5
c63cbdfeaddd4e1867b5d9aedf4b77dd
-
SHA1
3bf4b2aaff1bd05cea30ddee92df5d33abbdd27b
-
SHA256
ee131e6b57d6b32accb0f82fd5a42ddc65d9030143b177833ddc260b645c2d40
-
SHA512
1d06683f93b87bad277891e1ffe418b999e355503505a74fe1f4ee69203b7f6b7bae9b6ae3985fed7226773eeac10f20ecbc980337bf0480892b11b2eb135264
-
SSDEEP
1536:K3PhdfI79nclO824wMeQ/Mwxqum+UI2VOv5RLEC42Qne0+5sMw/KcoGoyeX:w3fIZOO824wMfUwIZ+UI2VE5RLEC42Qq
Static task
static1
Behavioral task
behavioral1
Sample
c63cbdfeaddd4e1867b5d9aedf4b77dd.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
c63cbdfeaddd4e1867b5d9aedf4b77dd.rtf
Resource
win10v2004-20240419-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.controlfire.com.mx - Port:
587 - Username:
apama@controlfire.com.mx - Password:
[;E4nNUMlscW - Email To:
apama_reports@controlfire.com.mx
Targets
-
-
Target
c63cbdfeaddd4e1867b5d9aedf4b77dd.rtf
-
Size
69KB
-
MD5
c63cbdfeaddd4e1867b5d9aedf4b77dd
-
SHA1
3bf4b2aaff1bd05cea30ddee92df5d33abbdd27b
-
SHA256
ee131e6b57d6b32accb0f82fd5a42ddc65d9030143b177833ddc260b645c2d40
-
SHA512
1d06683f93b87bad277891e1ffe418b999e355503505a74fe1f4ee69203b7f6b7bae9b6ae3985fed7226773eeac10f20ecbc980337bf0480892b11b2eb135264
-
SSDEEP
1536:K3PhdfI79nclO824wMeQ/Mwxqum+UI2VOv5RLEC42Qne0+5sMw/KcoGoyeX:w3fIZOO824wMfUwIZ+UI2VE5RLEC42Qq
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-