General
-
Target
rfq_items_order_purchase_quotation_30012023000000000000.docx.doc
-
Size
10KB
-
Sample
230130-j6pvaabc8t
-
MD5
9136352a3a3208e5b87191b93eebff30
-
SHA1
ed48bacf8eec9fb8bae959b8c5cd084f0b545a68
-
SHA256
23311a11d65e655d55d07d9db638fe865e36b1ef5ba022936678d076ca9f134b
-
SHA512
e1bd869cb02d2c2e6ed7dcc24648deaccac96a830d93681c6399a2cb3a43fec94355aad8d6169d84bcc433ce3380ae3a17e6dbae5388e7de1264b02d03a87d1c
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOtWO+5+5F7Jar/YEChI3yZ:SPXRE7XtO47wtar/YECOO
Static task
static1
Behavioral task
behavioral1
Sample
rfq_items_order_purchase_quotation_30012023000000000000.docx
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
rfq_items_order_purchase_quotation_30012023000000000000.docx
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://dgdfghfjfghfghfghgfhfghfgsdgfggdfgdfgertdfgdfgdfg@3221452429/g.doc
Extracted
agenttesla
https://api.telegram.org/bot5672966801:AAGkdauVLuRijg4BBwGbZ-5sO2ggBTSZUHE/
Targets
-
-
Target
rfq_items_order_purchase_quotation_30012023000000000000.docx.doc
-
Size
10KB
-
MD5
9136352a3a3208e5b87191b93eebff30
-
SHA1
ed48bacf8eec9fb8bae959b8c5cd084f0b545a68
-
SHA256
23311a11d65e655d55d07d9db638fe865e36b1ef5ba022936678d076ca9f134b
-
SHA512
e1bd869cb02d2c2e6ed7dcc24648deaccac96a830d93681c6399a2cb3a43fec94355aad8d6169d84bcc433ce3380ae3a17e6dbae5388e7de1264b02d03a87d1c
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOtWO+5+5F7Jar/YEChI3yZ:SPXRE7XtO47wtar/YECOO
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-