General
-
Target
SAP_RFQ-22-QAI-OPS-0067.Docx.exe
-
Size
620KB
-
Sample
221128-lv5gpsdh79
-
MD5
b8f736607ea7ec358e248e2f4080e9da
-
SHA1
264dbba5b8a0d207e07b345cf3b36806bea115ca
-
SHA256
25df8b5051cdf0742e65d76cd5ed31f2bc19fa46b9cf176cfea17c7d7ae166da
-
SHA512
53a1a854f3f740c77994ad6d8ab556f01e6a28064afe08fe4a91f3617fec5cb565745f95417b35a5cd324cfd53b248ed5fa96da48b724b920d1d0049dc8baa5f
-
SSDEEP
12288:Sy6Gl7psTm/1BJDhm4W7DWP3zBnbiqTAfMM:SyN8TS84KDWP33kfMM
Static task
static1
Behavioral task
behavioral1
Sample
SAP_RFQ-22-QAI-OPS-0067.Docx.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SAP_RFQ-22-QAI-OPS-0067.Docx.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mavicivata.com - Port:
587 - Username:
emin@mavicivata.com - Password:
5Egb6R1NW - Email To:
erankopal@gmail.com
Targets
-
-
Target
SAP_RFQ-22-QAI-OPS-0067.Docx.exe
-
Size
620KB
-
MD5
b8f736607ea7ec358e248e2f4080e9da
-
SHA1
264dbba5b8a0d207e07b345cf3b36806bea115ca
-
SHA256
25df8b5051cdf0742e65d76cd5ed31f2bc19fa46b9cf176cfea17c7d7ae166da
-
SHA512
53a1a854f3f740c77994ad6d8ab556f01e6a28064afe08fe4a91f3617fec5cb565745f95417b35a5cd324cfd53b248ed5fa96da48b724b920d1d0049dc8baa5f
-
SSDEEP
12288:Sy6Gl7psTm/1BJDhm4W7DWP3zBnbiqTAfMM:SyN8TS84KDWP33kfMM
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-