General
-
Target
TTXCopy22112022.xls
-
Size
73KB
-
Sample
221123-hsqc8ahh2t
-
MD5
aa47fce5c9db6e06ad3116845f725fa6
-
SHA1
eae3e06a94745bfac6d33236b891279924e7de6a
-
SHA256
61fe9f95f15334c2d92d207799346870a43588b4c8870911ee76010c837aafed
-
SHA512
4554ec8b3351686e83275229cbea44569f10d9ade388bf289eb16b29ee27b9d9f1b0a411d8be302d8c5214f2c6a8502c558628acc0ef017e5ba270a723f20ce8
-
SSDEEP
1536:xkt09fj7aj46y8t3zdjPRBqpszI8rUbWpcVsffnmRDUu31dTXrX3:HUyi3zNFI8r8WuVsX231dH
Static task
static1
Behavioral task
behavioral1
Sample
TTXCopy22112022.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TTXCopy22112022.xls
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
s$xlD^f9
Targets
-
-
Target
TTXCopy22112022.xls
-
Size
73KB
-
MD5
aa47fce5c9db6e06ad3116845f725fa6
-
SHA1
eae3e06a94745bfac6d33236b891279924e7de6a
-
SHA256
61fe9f95f15334c2d92d207799346870a43588b4c8870911ee76010c837aafed
-
SHA512
4554ec8b3351686e83275229cbea44569f10d9ade388bf289eb16b29ee27b9d9f1b0a411d8be302d8c5214f2c6a8502c558628acc0ef017e5ba270a723f20ce8
-
SSDEEP
1536:xkt09fj7aj46y8t3zdjPRBqpszI8rUbWpcVsffnmRDUu31dTXrX3:HUyi3zNFI8r8WuVsX231dH
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-