General
-
Target
PO_03012023.docx
-
Size
10KB
-
Sample
230301-jq3ffafc55
-
MD5
2f1d7d1c6a4ac4baab35d66d028fd45c
-
SHA1
a55ecbd8553b44f1eebe3e414179cc1e0824834e
-
SHA256
55066756eb5b31eaf5b403b5c8e2578fcc42f030af664ea7aa2bb7d9285e7945
-
SHA512
910605889f126872b94538c8d4d9beeb1795b78b3ff9f89142789ab76add819f0f14da82e47971206cb2a2eade68cd8d59ee0f489853f80c2eefd928ce95d67d
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOmXl+CVWBXJC0c3eu:SPXU/slT+LOsHkZC9d
Static task
static1
Behavioral task
behavioral1
Sample
PO_03012023.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO_03012023.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://OIWEROFSDFOOWROOSDFODFOWESODFGDOFGOSDFOIOFSODOXCVVODOO00FOF00F0DF0FFSDF0SDF00SDF0DF0SDF00SDF0S0DF00DF@392060937/ccc........................................doc
Extracted
agenttesla
https://api.telegram.org/bot5577155192:AAEz6ZTkghx2RsdTxeeE-sDulPHc5WQblVg/
Targets
-
-
Target
PO_03012023.docx
-
Size
10KB
-
MD5
2f1d7d1c6a4ac4baab35d66d028fd45c
-
SHA1
a55ecbd8553b44f1eebe3e414179cc1e0824834e
-
SHA256
55066756eb5b31eaf5b403b5c8e2578fcc42f030af664ea7aa2bb7d9285e7945
-
SHA512
910605889f126872b94538c8d4d9beeb1795b78b3ff9f89142789ab76add819f0f14da82e47971206cb2a2eade68cd8d59ee0f489853f80c2eefd928ce95d67d
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOmXl+CVWBXJC0c3eu:SPXU/slT+LOsHkZC9d
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-