General
-
Target
755d17162f2b8c414969b79406e66343.bin
-
Size
1.2MB
-
Sample
230328-b619baab9s
-
MD5
2c67bf4002df49a2cc2da263a7cecb6c
-
SHA1
99f440c0fd7b7de8024482041a8d6f2a1c2dfaa3
-
SHA256
408282dbada204fa258b3aea5293cc431d0fe8251196818a000f4cf77b351744
-
SHA512
2fb66d1f52f6070bfffbf531817b48b1a82df6cd21377d033d7df5fef4ef669c6035910d17950c9633cadf9da57b8c7a5565ac9382506c7b2eaea746714e339c
-
SSDEEP
24576:7gRJ1q4ZkodW9BIzUzcqNF27QvvlMj7ijuem5zlSDgfAZeIdkK:sRJQ4TdWgDCg7AePiFm5hjAZjOK
Static task
static1
Behavioral task
behavioral1
Sample
3db061e8ab14d7827584ec103733d3fd860986a5f7dd72ef4213e04d8c274245.xls
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
3db061e8ab14d7827584ec103733d3fd860986a5f7dd72ef4213e04d8c274245.xls
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
log3@forrwel.net - Password:
HNnNLPY3 - Email To:
log3@forrwel.net
Targets
-
-
Target
3db061e8ab14d7827584ec103733d3fd860986a5f7dd72ef4213e04d8c274245.xls
-
Size
1.3MB
-
MD5
755d17162f2b8c414969b79406e66343
-
SHA1
7e031cbb048a2fb56472c688833e6f558753086e
-
SHA256
3db061e8ab14d7827584ec103733d3fd860986a5f7dd72ef4213e04d8c274245
-
SHA512
1f8c722c8fe3726594ae58bb7fa0d291ec62c6797ea13d78d41e955359a534b2fa10ee5018fe1964d43596226af205d4384978a8f725975be0abbee03bc01309
-
SSDEEP
24576:uLKhWQmmav30xUSSMMednEqP6bvdXXXXXXXXXXXXUXXXXXXXXXXXXXXXXZDSSMMT:uLKwQmmQ30SMR6OMd/6VzXKpv
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-