General
-
Target
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.20200.17888.xlsx
-
Size
291KB
-
Sample
221207-kge48adg6t
-
MD5
44cab1b3599621ab184fe2efd8215ce5
-
SHA1
75a3eae30a6702db15f5876d80cd7c850d35bf82
-
SHA256
6f48f11967a585d492f24fcbc4f9733d8eb9c830f9f2d2cd903e4a314d26c357
-
SHA512
31ed185b6899254b931a9d500890fc22bed70da82462d128bcfe06a330995e53b08db286cce8b3ccad59921babf2c1e671ade3ad75929644bd6b376b6ea93647
-
SSDEEP
6144:upX2FlZ+RwPONXoRjDhIcp0fDlavx+W26nAWQR+FJk+z6DU/dt1QAtqUKSgtDQ:u87S+Fi+znt1QA0u+
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.20200.17888.xls
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.20200.17888.xls
Resource
win10v2004-20220901-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
host39.registrar-servers.com - Port:
587 - Username:
[email protected] - Password:
payment 12345
Targets
-
-
Target
SecuriteInfo.com.Exploit.MathType-Obfs.Gen.20200.17888.xlsx
-
Size
291KB
-
MD5
44cab1b3599621ab184fe2efd8215ce5
-
SHA1
75a3eae30a6702db15f5876d80cd7c850d35bf82
-
SHA256
6f48f11967a585d492f24fcbc4f9733d8eb9c830f9f2d2cd903e4a314d26c357
-
SHA512
31ed185b6899254b931a9d500890fc22bed70da82462d128bcfe06a330995e53b08db286cce8b3ccad59921babf2c1e671ade3ad75929644bd6b376b6ea93647
-
SSDEEP
6144:upX2FlZ+RwPONXoRjDhIcp0fDlavx+W26nAWQR+FJk+z6DU/dt1QAtqUKSgtDQ:u87S+Fi+znt1QA0u+
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-