General
-
Target
89-079831221.doc
-
Size
27KB
-
Sample
221206-hrhxrage9y
-
MD5
7491a7d24a91632ccbb5b427813b3af4
-
SHA1
9372c849f9612e83e82d605e9c342fa9148e5367
-
SHA256
2450e082147d46b692e3ff2cfc70c64b9e3e1e5dcab9afed208b28dc0557b4ee
-
SHA512
a814d63a1ebb263af4301ef73a24febd71fca06cf00afea703451677892324ed1650a9cf39729df7be10d174bdbd50ed1821e2a2a1dc946ec48417f071c017c7
-
SSDEEP
384:gQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZ/OqgkJQ2dshCOErzALyl/QGM5:8Fx0XaIsnPRIa4fwJMBOPcQl8X/QLBz
Static task
static1
Behavioral task
behavioral1
Sample
89-079831221.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
89-079831221.rtf
Resource
win10v2004-20221111-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
server323.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
turkey@123 - Email To:
[email protected]
Targets
-
-
Target
89-079831221.doc
-
Size
27KB
-
MD5
7491a7d24a91632ccbb5b427813b3af4
-
SHA1
9372c849f9612e83e82d605e9c342fa9148e5367
-
SHA256
2450e082147d46b692e3ff2cfc70c64b9e3e1e5dcab9afed208b28dc0557b4ee
-
SHA512
a814d63a1ebb263af4301ef73a24febd71fca06cf00afea703451677892324ed1650a9cf39729df7be10d174bdbd50ed1821e2a2a1dc946ec48417f071c017c7
-
SSDEEP
384:gQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZ/OqgkJQ2dshCOErzALyl/QGM5:8Fx0XaIsnPRIa4fwJMBOPcQl8X/QLBz
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-