General
-
Target
Order 84889-CVE2-52022.docx.doc
-
Size
10KB
-
Sample
230302-je84vabe9y
-
MD5
26898dc21c47a0c8ce44952f38be7558
-
SHA1
7ca47776ae520edbb07d58e90e8f8b0194ca4def
-
SHA256
0aa8fae7adcb3b01e64ff034585ab4f7dda57eef969732ca1f46a4645e25bf7e
-
SHA512
36564d02ffc9df006a818909ae1b0c0e4a38f325758b55dc1d61f519c70d41b4f2970338cf9cd87323adaf4df014e79e33886af9aaf36cb893ca8bcff590d883
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+zl+CVWBXJC0c3ue:SPXU/slT+LO+zHkZC91
Static task
static1
Behavioral task
behavioral1
Sample
Order 84889-CVE2-52022.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Order 84889-CVE2-52022.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://OOOW3OOOOOOO233OOOOOO23OO33B2OB32O32O32B3O23BO33O3S0DFSDF0X000F0SD0000WLLL21LLLLL222LLLLL3333LELLL@267199949/e2....................doc
Extracted
agenttesla
Protocol: smtp- Host:
smtp.huiijingco.com - Port:
587 - Username:
m@huiijingco.com - Password:
lNLUrZT2 - Email To:
m@huiijingco.com
Targets
-
-
Target
Order 84889-CVE2-52022.docx.doc
-
Size
10KB
-
MD5
26898dc21c47a0c8ce44952f38be7558
-
SHA1
7ca47776ae520edbb07d58e90e8f8b0194ca4def
-
SHA256
0aa8fae7adcb3b01e64ff034585ab4f7dda57eef969732ca1f46a4645e25bf7e
-
SHA512
36564d02ffc9df006a818909ae1b0c0e4a38f325758b55dc1d61f519c70d41b4f2970338cf9cd87323adaf4df014e79e33886af9aaf36cb893ca8bcff590d883
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO+zl+CVWBXJC0c3ue:SPXU/slT+LO+zHkZC91
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-