General
-
Target
UPDATED ORDER.docx.zip
-
Size
7KB
-
Sample
230217-ngbzcafb57
-
MD5
d470a79f079cb5b9facc1d39616f1c7b
-
SHA1
8b509770aa35b97e15bc6c52d722348bd123adc2
-
SHA256
65e6187f39c04791495ee9f6ab7789e14d8af67cc60f46e3f4ae645fcd1e3745
-
SHA512
e830f2b754ffc0a42c629cd08d158493306234db30277963b297ed81729492cfd92abe5512ece5d543e00faa67bfb07f4a1007eb4f1b397a317e8d8632c0eb49
-
SSDEEP
192:toz4wfx7sWM7Ziu5rr4pYJqBd/bWuImgHL6HKY06w4tkIhOd:i4Ix7sWM7Zdr4UiNlTgWq14t8
Static task
static1
Behavioral task
behavioral1
Sample
UPDATED ORDER.docx
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
UPDATED ORDER.docx
Resource
win10v2004-20221111-en
Malware Config
Extracted
http:/QQQQWWWWQWWWWQWWQWQWQWQQWQWQQWQWQWQWQWQWQWQQQQQQQQOQQQQQOOOOOOOOQOQQQQOQOQOQOQOQOQQWWWWQWQWQWQWQWQWQWQWQQWQ@3118348624/O_O.DOC
Extracted
agenttesla
https://api.telegram.org/bot1900392974:AAEB_yGGlWksNcNC4Dg08OgUSlmDON2w098/sendDocument
Targets
-
-
Target
UPDATED ORDER.docx
-
Size
10KB
-
MD5
045c9a932ad454a9c226e146d761b284
-
SHA1
eba9136f2eb1eef380b1dcdd3745f3ddb3631613
-
SHA256
59087ec2fbf8340268cd3aeeed9e4f3bd107cd2c1852a074f38e3723dfa7cf00
-
SHA512
19fc83fcdee224b4e64a5b333ce732a1bdbc8c086ac2d41a26e00c77dbf6bc22c34637936d8acf1cac4bc0a67ac3012713f432ce147a6137b13382a57579380b
-
SSDEEP
192:ScIMmtP5hG/b7XN+eO4DAO+5+5F7Jar/YEChI3nPV:SPXRE7XtO4DA7wtar/YECOnN
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-