General
-
Target
Order Inquiry.docx
-
Size
10KB
-
Sample
230216-kc1kcsgf75
-
MD5
57d16dbddb34ade771e1a233177cfc7f
-
SHA1
7d870285442d9a844166513f0fedc5b453ad9a5c
-
SHA256
efc8f777d52a3bcbde5fb7c4b67efd44a1d973199e2382e2781f650102b92561
-
SHA512
c405ad82f33aa8ff29235f1907a81f51198f45ace86c0f62397001b9e1832c75e079e9368be2e004e248cc605b6d790ca872742b396259d0ea3ba5ae253f0cc8
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOtaO+5+5F7Jar/YEChI30J:SPXRE7XtOta7wtar/YECOA
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry.docx
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
Order Inquiry.docx
Resource
win10v2004-20220812-en
Malware Config
Extracted
http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@1806682775/O_O.DOC
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
info@opttools-tw.com - Password:
kV$bSqJ1 daniel - Email To:
info@opttools-tw.com
Targets
-
-
Target
Order Inquiry.docx
-
Size
10KB
-
MD5
57d16dbddb34ade771e1a233177cfc7f
-
SHA1
7d870285442d9a844166513f0fedc5b453ad9a5c
-
SHA256
efc8f777d52a3bcbde5fb7c4b67efd44a1d973199e2382e2781f650102b92561
-
SHA512
c405ad82f33aa8ff29235f1907a81f51198f45ace86c0f62397001b9e1832c75e079e9368be2e004e248cc605b6d790ca872742b396259d0ea3ba5ae253f0cc8
-
SSDEEP
192:ScIMmtP5hG/b7XN+eOtaO+5+5F7Jar/YEChI30J:SPXRE7XtOta7wtar/YECOA
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-