General
-
Target
Josefinabosco Groups Limited RFQ#20230304.docx
-
Size
10KB
-
Sample
230303-lbpl5sgc8w
-
MD5
6d5efe89e5096d4e503cfa45e3be6012
-
SHA1
582580bdcdf8e6075a9bb736a5421e4674ce3750
-
SHA256
5d39d0f94d3ab0ac294f5438619965dfcb56b6347faae2179c115caed2715ca8
-
SHA512
239770ced2b5b104b9dd6394c1528d9bb8a691e0f0518ebe68d6cdabf3fd6298f43667671794f1cd6ef355bd10758e4d5b8a861fa11894d67da96f1af9dace78
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOXFl+CVWBXJC0c3o+:SPXU/slT+LOXFHkZC9j
Static task
static1
Behavioral task
behavioral1
Sample
Josefinabosco Groups Limited RFQ#20230304.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Josefinabosco Groups Limited RFQ#20230304.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://ZZZJOOIOIOSDP99090SDXDdad9SDED99000DF00DF0SDF00DF0XCCXC0V00S0FDS0F0DF00SSZZZZZZZZ0X0C0XCZZXC0X@3324948138/12u.12u.12u.doc
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116 - Email To:
002@frem-tr.com
Targets
-
-
Target
Josefinabosco Groups Limited RFQ#20230304.docx
-
Size
10KB
-
MD5
6d5efe89e5096d4e503cfa45e3be6012
-
SHA1
582580bdcdf8e6075a9bb736a5421e4674ce3750
-
SHA256
5d39d0f94d3ab0ac294f5438619965dfcb56b6347faae2179c115caed2715ca8
-
SHA512
239770ced2b5b104b9dd6394c1528d9bb8a691e0f0518ebe68d6cdabf3fd6298f43667671794f1cd6ef355bd10758e4d5b8a861fa11894d67da96f1af9dace78
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOXFl+CVWBXJC0c3o+:SPXU/slT+LOXFHkZC9j
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-