General
-
Target
SOA FEB 5400005716.docx
-
Size
10KB
-
Sample
230310-qbgzhsfe6v
-
MD5
90612ab017d9b62b0845de6b196a10f5
-
SHA1
679287fd3b0389e47cced0fca528b3bb0bbe94c6
-
SHA256
33a34f4bad59e1c90a3fa5f4239abf5f5f13080e7ec71c09cdf11088e9c5cd8c
-
SHA512
ee6395170cf4187379df05f1beab7449af8e37109a3524b4f89f0dcadc1ecea1515c8e31847ac93711f82118b86403335bd0bc58cb848bc7461b724821d5fa28
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOmlvzl+CVWBXJC0c325:SPXU/slT+LOQHkZC96
Static task
static1
Behavioral task
behavioral1
Sample
SOA FEB 5400005716.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA FEB 5400005716.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://yyyyyYYYYUUSUUUUUUU3243242UUU23U423U4UU2UWWWWW8W8W7W8WWWWWWW878W8W8WW78RRRRRRRRRRRRRRRRRRRR@3221450129/wu.......................wu...................doc
Extracted
agenttesla
Protocol: smtp- Host:
mail.flexotechproducts.in - Port:
587 - Username:
accounts1@flexotechproducts.in - Password:
@Products$24 - Email To:
benard.rnuthuri@gmail.com
Targets
-
-
Target
SOA FEB 5400005716.docx
-
Size
10KB
-
MD5
90612ab017d9b62b0845de6b196a10f5
-
SHA1
679287fd3b0389e47cced0fca528b3bb0bbe94c6
-
SHA256
33a34f4bad59e1c90a3fa5f4239abf5f5f13080e7ec71c09cdf11088e9c5cd8c
-
SHA512
ee6395170cf4187379df05f1beab7449af8e37109a3524b4f89f0dcadc1ecea1515c8e31847ac93711f82118b86403335bd0bc58cb848bc7461b724821d5fa28
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOmlvzl+CVWBXJC0c325:SPXU/slT+LOQHkZC96
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-