General
-
Target
Swift Copy.docx.doc
-
Size
10KB
-
Sample
230330-lh6t1aca24
-
MD5
7dfae8d21b887ed5d32e2ff010034bc3
-
SHA1
93ffcfdf05e9b957aa7d1f36a213592383faf395
-
SHA256
1723dec74416c2918e74abaa994d03af972fcb40ae8c6c0579fe29be92836b8e
-
SHA512
c0d3bbc9feaf43a0a2c4d23ca31aea7ab086bfed46664738c8e2d16cb5efeddcdf71a45c5be233dbb65463499267e1cc79b3ee32ea615ef8999e0d9ff964819d
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3Ce:SPXU/slT+LOzHkZC9x
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Swift Copy.docx
Resource
win10v2004-20230221-en
Malware Config
Extracted
http://OASOSIDFOSWEROEROOWRWERWEREWWW0W83W338W83WOIE33RR333R3R3R3333RRR33UU3U3UR8E8E8E8E833RERERER3R3R3333RRR3333RR33RRR33R33@392095676/50.........................50........................doc
Extracted
agenttesla
Protocol: smtp- Host:
smtp.huiijingco.com - Port:
587 - Username:
m@huiijingco.com - Password:
lNLUrZT2 - Email To:
m@huiijingco.com
Targets
-
-
Target
Swift Copy.docx.doc
-
Size
10KB
-
MD5
7dfae8d21b887ed5d32e2ff010034bc3
-
SHA1
93ffcfdf05e9b957aa7d1f36a213592383faf395
-
SHA256
1723dec74416c2918e74abaa994d03af972fcb40ae8c6c0579fe29be92836b8e
-
SHA512
c0d3bbc9feaf43a0a2c4d23ca31aea7ab086bfed46664738c8e2d16cb5efeddcdf71a45c5be233dbb65463499267e1cc79b3ee32ea615ef8999e0d9ff964819d
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOzl+CVWBXJC0c3Ce:SPXU/slT+LOzHkZC9x
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-