General
-
Target
Invoice and Packing list.doc
-
Size
30KB
-
Sample
230328-g141xahc79
-
MD5
685c4cd21e27467ff893f2f5365ef566
-
SHA1
25ca8c8ef3c305d207367bbe15f7625fd1e236e2
-
SHA256
7af5cf2c2851627fffce58f36ad4eaa1b95f87eec61c206d043d916d12b3d36b
-
SHA512
7c43e0266c36df87296257a1fb6d93265e5a3d4891b122e35936deade7d83a118533efbb2b653f0184da4bddf0709053c166fd4c6a15cc1a31f3f4c20b7860f6
-
SSDEEP
768:8Fx0XaIsnPRIa4fwJMSGxwxkQvC1yOZ5o7fLIQR:8f0Xvx3EMCxkQveQrjR
Static task
static1
Behavioral task
behavioral1
Sample
Invoice and Packing list.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Invoice and Packing list.rtf
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.valvulasthermovalve.cl - Port:
21 - Username:
cva19491@valvulasthermovalve.cl - Password:
LILKOOLL14!!
Targets
-
-
Target
Invoice and Packing list.doc
-
Size
30KB
-
MD5
685c4cd21e27467ff893f2f5365ef566
-
SHA1
25ca8c8ef3c305d207367bbe15f7625fd1e236e2
-
SHA256
7af5cf2c2851627fffce58f36ad4eaa1b95f87eec61c206d043d916d12b3d36b
-
SHA512
7c43e0266c36df87296257a1fb6d93265e5a3d4891b122e35936deade7d83a118533efbb2b653f0184da4bddf0709053c166fd4c6a15cc1a31f3f4c20b7860f6
-
SSDEEP
768:8Fx0XaIsnPRIa4fwJMSGxwxkQvC1yOZ5o7fLIQR:8f0Xvx3EMCxkQveQrjR
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-