General
-
Target
PaymentXAdviceX564302.docx.doc
-
Size
11KB
-
Sample
230220-h2nwrahe2v
-
MD5
b5feb67f622e1572bdac818e8e53ea37
-
SHA1
89a7f7d20ffb3aa2a7ed2e65343dadc0ec095160
-
SHA256
249dc777ba06394d03cd265b4fb1f0fdc5063af5434102c2e23daeb752d59cda
-
SHA512
a535c3d3a3ebf790a382d1ebf7d4e1d690be100af23cf0e0e875ab872c6fe8efbb13394b14582352ba7576ea7b2e83c756bb6f40534023d378047fb210530c1e
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCQS5VJg9:aNxUyn0i13LROEiOLkX6Ujnw+3Y5Vk
Static task
static1
Behavioral task
behavioral1
Sample
PaymentXAdviceX564302.docx
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PaymentXAdviceX564302.docx
Resource
win10v2004-20220812-en
Malware Config
Extracted
http://WEEEERRRRRRRRRRRPPPOOOOSSSSSSSOOOOOPPWEEEEEEEOOOOOOOCCVVVVVVVVOVVVVVVVVVVVVVVVVOOOOOO@1806682775/O--OO.DOC
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
lawsaman@steveboi.com - Password:
!Gphfth8 - Email To:
lawsaman@steveboi.com
Targets
-
-
Target
PaymentXAdviceX564302.docx.doc
-
Size
11KB
-
MD5
b5feb67f622e1572bdac818e8e53ea37
-
SHA1
89a7f7d20ffb3aa2a7ed2e65343dadc0ec095160
-
SHA256
249dc777ba06394d03cd265b4fb1f0fdc5063af5434102c2e23daeb752d59cda
-
SHA512
a535c3d3a3ebf790a382d1ebf7d4e1d690be100af23cf0e0e875ab872c6fe8efbb13394b14582352ba7576ea7b2e83c756bb6f40534023d378047fb210530c1e
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCQS5VJg9:aNxUyn0i13LROEiOLkX6Ujnw+3Y5Vk
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-