General
-
Target
22-11093311.doc
-
Size
29KB
-
Sample
221208-m19jaahg39
-
MD5
3d016eab2f7ffcff51f487fea2721dd2
-
SHA1
5254b9b19967a9d496ce0d7247c13393193e348a
-
SHA256
1b83d5ce3df5b28d774a428fbabf41a3b21767d03e0fe06620f77f9b7108fee4
-
SHA512
57e7802c33c6f15532f874f3c14d4927af91f01f5b1b97ffd59dd19f56c4834ca4d6ff9f605f83297fd39509f135db9adf18e37698c0addfb61c99419f9be2b4
-
SSDEEP
768:EFx0XaIsnPRIa4fwJM4QuKV4NIsaDrcx1zVicloo:Ef0Xvx3EM4QuACIvW1BiclB
Static task
static1
Behavioral task
behavioral1
Sample
22-11093311.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
22-11093311.rtf
Resource
win10v2004-20220812-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
server323.web-hosting.com - Port:
587 - Username:
admin@transcooldv.com - Password:
turkey@123 - Email To:
owen@transcooldv.com
Targets
-
-
Target
22-11093311.doc
-
Size
29KB
-
MD5
3d016eab2f7ffcff51f487fea2721dd2
-
SHA1
5254b9b19967a9d496ce0d7247c13393193e348a
-
SHA256
1b83d5ce3df5b28d774a428fbabf41a3b21767d03e0fe06620f77f9b7108fee4
-
SHA512
57e7802c33c6f15532f874f3c14d4927af91f01f5b1b97ffd59dd19f56c4834ca4d6ff9f605f83297fd39509f135db9adf18e37698c0addfb61c99419f9be2b4
-
SSDEEP
768:EFx0XaIsnPRIa4fwJM4QuKV4NIsaDrcx1zVicloo:Ef0Xvx3EM4QuACIvW1BiclB
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-