General
-
Target
PAYMENT COPY-1232022.doc
-
Size
26KB
-
Sample
221204-mvjexafd5w
-
MD5
212a9aba6446f96e50fb84be3b1efe81
-
SHA1
6a7167f955335c51cf0caeb3de3a6b840b4efb27
-
SHA256
b2d62f4e9fbe30be03a9db6f5370a4493e383ae23f0a086605dc03d43e846081
-
SHA512
d6187730360473598cde356b281371602bf0a19869ee69f01b3139ce9fcae7b9a7c60ae5c1dccd84682c6ce1955bd131f622e23f9c4a082e7e01d7ec7533c463
-
SSDEEP
768:vFx0XaIsnPRIa4fwJMrFADxXFJOYnNWgMaesfhA:vf0Xvx3EMrmF1AYhlZfhA
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT COPY-1232022.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PAYMENT COPY-1232022.rtf
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
hnxqezadblabdsss
Targets
-
-
Target
PAYMENT COPY-1232022.doc
-
Size
26KB
-
MD5
212a9aba6446f96e50fb84be3b1efe81
-
SHA1
6a7167f955335c51cf0caeb3de3a6b840b4efb27
-
SHA256
b2d62f4e9fbe30be03a9db6f5370a4493e383ae23f0a086605dc03d43e846081
-
SHA512
d6187730360473598cde356b281371602bf0a19869ee69f01b3139ce9fcae7b9a7c60ae5c1dccd84682c6ce1955bd131f622e23f9c4a082e7e01d7ec7533c463
-
SSDEEP
768:vFx0XaIsnPRIa4fwJMrFADxXFJOYnNWgMaesfhA:vf0Xvx3EMrmF1AYhlZfhA
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-