General
-
Target
PO+010-240.docx
-
Size
10KB
-
Sample
230301-rvpddage58
-
MD5
1cb238263947b5019937888d3cad8833
-
SHA1
15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
-
SHA256
3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
-
SHA512
d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K
Static task
static1
Behavioral task
behavioral1
Sample
PO+010-240.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO+010-240.docx
Resource
win10v2004-20230221-en
Malware Config
Extracted
http://OIWEROFSDFOOWROOSDFODFOWESODFGDOFGOSDFOIOFSODOXCVVODOO00FOF00F0DF0FFSDF0SDF00SDF0DF0SDF00SDF0S0DF00DF@3324948138/rr........................................................doc
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116 - Email To:
002@frem-tr.com
Targets
-
-
Target
PO+010-240.docx
-
Size
10KB
-
MD5
1cb238263947b5019937888d3cad8833
-
SHA1
15d5367bd9cd0fb7fec8ca9ef2360b57a40c63c0
-
SHA256
3db84a830fee9dea668512769206f1002edf7d27747611f728c14974cd14726a
-
SHA512
d73cd6a02a2fb6f481a00b7e96d45b7091ac1a5a3fb57763923864fabacb2eb8c945150adf740a64d7d7eae94ac23c9b47b7471fc6e6a9a50f11aca051339748
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+A5Wgywl+CVWBXJC0c3hzVG:SPXU/slT+LO+mbywHkZC9K
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-