General
-
Target
BL # YMLUI236283404.xls
-
Size
299KB
-
Sample
221128-lv6prsdh85
-
MD5
20c17af1d50e892c577a2caf166794a5
-
SHA1
cc83f156d8997b6fd0539ade4eb24513cac0f3b9
-
SHA256
62af820ce61935ca89b8049f59f18e50de3dfa6b83a62c459b04585cc168cb6a
-
SHA512
31caf2a0678e5742139333b14a5e0225bf5918ceb11f8a57e214e70716e572608cc251797e98c052cf12d37d1b09f8ba684c449a3c51a16fba5e327cc0990ca1
-
SSDEEP
6144:cdHvgRwaLsciuXHo/3v/p7XXXXXXXXXXXXUXXXXXXXXXXXXXXXXxLeWu6oHXEPt+:cdHvgmB4XIvXp7XXXXXXXXXXXXUXXXXy
Static task
static1
Behavioral task
behavioral1
Sample
BL # YMLUI236283404.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
BL # YMLUI236283404.xls
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
host39.registrar-servers.com - Port:
587 - Username:
falah.alrawi@alpaimcement.com - Password:
payment12345
Targets
-
-
Target
BL # YMLUI236283404.xls
-
Size
299KB
-
MD5
20c17af1d50e892c577a2caf166794a5
-
SHA1
cc83f156d8997b6fd0539ade4eb24513cac0f3b9
-
SHA256
62af820ce61935ca89b8049f59f18e50de3dfa6b83a62c459b04585cc168cb6a
-
SHA512
31caf2a0678e5742139333b14a5e0225bf5918ceb11f8a57e214e70716e572608cc251797e98c052cf12d37d1b09f8ba684c449a3c51a16fba5e327cc0990ca1
-
SSDEEP
6144:cdHvgRwaLsciuXHo/3v/p7XXXXXXXXXXXXUXXXXXXXXXXXXXXXXxLeWu6oHXEPt+:cdHvgmB4XIvXp7XXXXXXXXXXXXUXXXXy
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-