General
-
Target
SOA.docx
-
Size
10KB
-
Sample
230309-gchsrshf71
-
MD5
acdde6c86a6da4bc93805cd855022b1c
-
SHA1
512ccadb3c7ea94b29171ef5dc00c149621472ca
-
SHA256
532f654c0356db6de0e2b4d949afc2186b8055d35f9ea262eea09a4408cc3185
-
SHA512
9400d0a8a9589e8e136f6a63c660445f3425666a53581b3fda3d7c603996bc737e7fde746a886fa2532fed6ae7f7abda0205a7c1deaa561071fee847c4720782
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOfNl+CVWBXJC0c3g5R:SPXU/slT+LOfNHkZC9gL
Static task
static1
Behavioral task
behavioral1
Sample
SOA.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://yyyyyYYYYUUSUUUUUUU3243242UUU23U423U4UU2UWWWWW8W8W7W8WWWWWWW878W8W8WW78WWWW87W87W88WEEW787888W88W8W@392095676/79.79.79.doc
Extracted
agenttesla
https://api.telegram.org/bot5940813834:AAF8mKehOQ2jtgluy4NISP8DYRvxgz__xCQ/
Targets
-
-
Target
SOA.docx
-
Size
10KB
-
MD5
acdde6c86a6da4bc93805cd855022b1c
-
SHA1
512ccadb3c7ea94b29171ef5dc00c149621472ca
-
SHA256
532f654c0356db6de0e2b4d949afc2186b8055d35f9ea262eea09a4408cc3185
-
SHA512
9400d0a8a9589e8e136f6a63c660445f3425666a53581b3fda3d7c603996bc737e7fde746a886fa2532fed6ae7f7abda0205a7c1deaa561071fee847c4720782
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOfNl+CVWBXJC0c3g5R:SPXU/slT+LOfNHkZC9gL
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-