General
-
Target
SOA MARCH.docx
-
Size
10KB
-
Sample
230328-lad41sbh2y
-
MD5
5fbdc2fd7b9fcf00d75d57db95a45780
-
SHA1
b2a03e0b531c008057d2c3f4eeedc2b5f3ccaca4
-
SHA256
973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3
-
SHA512
e2d59f0bcbcc7f973de9166d3eb7715cc69951f1f923843c91160c95c9ffea33e79b5747eeff375be6c6bf8c0c38e54a0d1401711c8b3acd1107fb15c8240f99
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3H5:SPXU/slT+LOzHkZC9Z
Static task
static1
Behavioral task
behavioral1
Sample
SOA MARCH.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SOA MARCH.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://kkkkkkkkkkkkk34kkkkkkkkkkkkkk34kkkkkkkkkkkkkk34kkkkkkkkkkkkkk34kkkkkkkkkkkk34kkkkkkkkkkkkkk34ksdfhdskfhsdkfh33hkh34h3k@3221484439/31....................31.................doc
Extracted
agenttesla
https://api.telegram.org/bot5663632223:AAG5KHZDs7KWoaqTYx3lSyFlOdfD9vGegQo/
Targets
-
-
Target
SOA MARCH.docx
-
Size
10KB
-
MD5
5fbdc2fd7b9fcf00d75d57db95a45780
-
SHA1
b2a03e0b531c008057d2c3f4eeedc2b5f3ccaca4
-
SHA256
973fd226d53866557260798be5796c3369f9c7c52215d65bf47e404274eac1f3
-
SHA512
e2d59f0bcbcc7f973de9166d3eb7715cc69951f1f923843c91160c95c9ffea33e79b5747eeff375be6c6bf8c0c38e54a0d1401711c8b3acd1107fb15c8240f99
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3H5:SPXU/slT+LOzHkZC9Z
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-