General
-
Target
Bank Deposit Slip 230228.docx
-
Size
10KB
-
Sample
230314-g7rzxsdh36
-
MD5
2105fbcf7af88cca80cbdae1768bd87a
-
SHA1
4af4b2bdd5324d83c69cd31c12dd4efd0b14281d
-
SHA256
36b207f1cf4470480efbaf303ce82a8214d1c40e3b991f6e3646c04fb0557138
-
SHA512
adb9ebcabaa6a6b5a3fc0f44390e2bed1a47c7ea976baa3d9f192d1a38664fa70ad620f55a4859cfbf8a9d7e915c2144ff212db4d7d9a9ef5e75bebbcbb70c62
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO5ebl+CVWBXJC0c3fJ:SPXU/slT+LOkbHkZC9x
Static task
static1
Behavioral task
behavioral1
Sample
Bank Deposit Slip 230228.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Bank Deposit Slip 230228.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://ZZZ0000SDFDS0F0000000Z0Z00000000ZZ000000000000W0WW0W0W0W0W0W0W00W0W0W0W00Z0Z0Z0Z0Z0Z00Z0Z0Z00W0W0W00W@3221450129/73...................73...............doc
Extracted
agenttesla
Protocol: smtp- Host:
mail.palumalimited.com - Port:
587 - Username:
novlove@palumalimited.com - Password:
85h!UAfvL2AE - Email To:
mullarred@gmail.com
Targets
-
-
Target
Bank Deposit Slip 230228.docx
-
Size
10KB
-
MD5
2105fbcf7af88cca80cbdae1768bd87a
-
SHA1
4af4b2bdd5324d83c69cd31c12dd4efd0b14281d
-
SHA256
36b207f1cf4470480efbaf303ce82a8214d1c40e3b991f6e3646c04fb0557138
-
SHA512
adb9ebcabaa6a6b5a3fc0f44390e2bed1a47c7ea976baa3d9f192d1a38664fa70ad620f55a4859cfbf8a9d7e915c2144ff212db4d7d9a9ef5e75bebbcbb70c62
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO5ebl+CVWBXJC0c3fJ:SPXU/slT+LOkbHkZC9x
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-