General
-
Target
DocRFQ2050023RFT.xlsm
-
Size
102KB
-
Sample
221003-lkw3ksfhg4
-
MD5
10752bde286212b1e5ec01803a554c03
-
SHA1
862d54b78dd19d45a980f49201e6acca47857252
-
SHA256
4689852a6e06ba83be08fe943de1159aa8aaad7e1701b5fae5786ddd0930ba23
-
SHA512
7f831287482a9be78033ae840bee703a547ba9e35b922548fbbbbdd4a414748b4fead71f3456b726f1b391d686743febf70cc7163729f0a72f9b375cf620cb4e
-
SSDEEP
3072:yZOKZu86S3Roy9uFwZlsaFPOHYonHBxqPZ5uf:ycYuS/IwZltFPgYonHBxqPZS
Static task
static1
Behavioral task
behavioral1
Sample
DocRFQ2050023RFT.xlsm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
DocRFQ2050023RFT.xlsm
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
http://45.155.165.63/3ip/inc/523ecb38582a9c.php
Targets
-
-
Target
DocRFQ2050023RFT.xlsm
-
Size
102KB
-
MD5
10752bde286212b1e5ec01803a554c03
-
SHA1
862d54b78dd19d45a980f49201e6acca47857252
-
SHA256
4689852a6e06ba83be08fe943de1159aa8aaad7e1701b5fae5786ddd0930ba23
-
SHA512
7f831287482a9be78033ae840bee703a547ba9e35b922548fbbbbdd4a414748b4fead71f3456b726f1b391d686743febf70cc7163729f0a72f9b375cf620cb4e
-
SSDEEP
3072:yZOKZu86S3Roy9uFwZlsaFPOHYonHBxqPZ5uf:ycYuS/IwZltFPgYonHBxqPZS
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-