General
-
Target
PO feb.docx
-
Size
11KB
-
Sample
230220-m2m2nsag24
-
MD5
fa6ef5c487c9df577931e5c77f3648df
-
SHA1
d8c67a2533ee451f0d04d24ebc06ceecd35a29f3
-
SHA256
6c95900f9e4213ee9957b3b7c8dc2af84c198b35b64c0de4cf2cb4fc0b613d7f
-
SHA512
52b8cde974e06abcc51fcb5f1007c63fe0eda0dee11c6e4b2145c88fbcbff6fbf9e1bec54bda2286ea638982a94f84121d0b6e5da05adc7a1f58c9fe86ab8a4d
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCFYBVy:aNxUyn0i13LROEiOLkX6Ujnw+3aWVy
Static task
static1
Behavioral task
behavioral1
Sample
PO feb.docx
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
PO feb.docx
Resource
win10v2004-20221111-en
Malware Config
Extracted
http://WEEEERRRRRRRRRRRPPPOOOOSSSSSSSOOOOOPPWEEEEEEEOOOOOOOCCVVVVVVVVOVVVVVVVVVVVVVVVVOOOOOO@1806682775/O--O.DOC
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
info@opttools-tw.com - Password:
kV$bSqJ1 daniel - Email To:
info@opttools-tw.com
Targets
-
-
Target
PO feb.docx
-
Size
11KB
-
MD5
fa6ef5c487c9df577931e5c77f3648df
-
SHA1
d8c67a2533ee451f0d04d24ebc06ceecd35a29f3
-
SHA256
6c95900f9e4213ee9957b3b7c8dc2af84c198b35b64c0de4cf2cb4fc0b613d7f
-
SHA512
52b8cde974e06abcc51fcb5f1007c63fe0eda0dee11c6e4b2145c88fbcbff6fbf9e1bec54bda2286ea638982a94f84121d0b6e5da05adc7a1f58c9fe86ab8a4d
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCFYBVy:aNxUyn0i13LROEiOLkX6Ujnw+3aWVy
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-