General
-
Target
c_xF3pia_r_xE1pida.doc
-
Size
255KB
-
Sample
230125-nndrhsfh25
-
MD5
72af4b046582fa39d8a302d460de50c9
-
SHA1
79fb9c95dd88ed5e4343f0f8e2603b4a296150b7
-
SHA256
72342930696771d8f979442184cf8503588840bc32843f172d185ef334285664
-
SHA512
85971e64415886036564935bc178275e11bbb7ceb6cef516af8da422b3dbc5e2662ac9ee2b8fd0873620b43f39a36b2f2f07fcb157d4967a8111b6793fea77a3
-
SSDEEP
1536:i+r5aosJaQf5UHZbv7bpGLJ/oj4lFSHTVFojaVbUxZVzFz76mAg5eeVhMDw5wfL8:id54+VzFtr5RDAw5wfY
Static task
static1
Behavioral task
behavioral1
Sample
c_xF3pia_r_xE1pida.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c_xF3pia_r_xE1pida.rtf
Resource
win10v2004-20220901-en
Malware Config
Extracted
http://46.101.92.117/hol/telex.exe
Extracted
agenttesla
https://api.telegram.org/bot5479139811:AAFjvrIBMkhtgUmULA2dMcFBI3ifYLrXZAc/
Targets
-
-
Target
c_xF3pia_r_xE1pida.doc
-
Size
255KB
-
MD5
72af4b046582fa39d8a302d460de50c9
-
SHA1
79fb9c95dd88ed5e4343f0f8e2603b4a296150b7
-
SHA256
72342930696771d8f979442184cf8503588840bc32843f172d185ef334285664
-
SHA512
85971e64415886036564935bc178275e11bbb7ceb6cef516af8da422b3dbc5e2662ac9ee2b8fd0873620b43f39a36b2f2f07fcb157d4967a8111b6793fea77a3
-
SSDEEP
1536:i+r5aosJaQf5UHZbv7bpGLJ/oj4lFSHTVFojaVbUxZVzFz76mAg5eeVhMDw5wfL8:id54+VzFtr5RDAw5wfY
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-