General
-
Target
new+spain+order.doc
-
Size
33KB
-
Sample
230330-v645rafa7w
-
MD5
db36641ec3f10d09764c30c7b5b878f4
-
SHA1
0a743acaa85fa32457e6a84dfc1dbab53cd07495
-
SHA256
3dc8800e380890fec915d4f62026caf4c5ff66f409d1c305c27b5f0ea14834b5
-
SHA512
3847a32d9d95c8e1864545e5322f775c4c28effda6b39abe8285635bd227a3e67470c8377bd9e8a713739a82271670a59cd4737e1cbd69854860ca1b50c13c0b
-
SSDEEP
768:dFx0XaIsnPRIa4fwJMg22OkhBOPYDpJoz741N7ajuEzuDnv:df0Xvx3EM/nk7aYDpJoz0TE8v
Static task
static1
Behavioral task
behavioral1
Sample
new+spain+order.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
new+spain+order.rtf
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6258465660:AAFAPHkxw9lv-YgWk0oo5r_nv12k7nJhSWA/
Targets
-
-
Target
new+spain+order.doc
-
Size
33KB
-
MD5
db36641ec3f10d09764c30c7b5b878f4
-
SHA1
0a743acaa85fa32457e6a84dfc1dbab53cd07495
-
SHA256
3dc8800e380890fec915d4f62026caf4c5ff66f409d1c305c27b5f0ea14834b5
-
SHA512
3847a32d9d95c8e1864545e5322f775c4c28effda6b39abe8285635bd227a3e67470c8377bd9e8a713739a82271670a59cd4737e1cbd69854860ca1b50c13c0b
-
SSDEEP
768:dFx0XaIsnPRIa4fwJMg22OkhBOPYDpJoz741N7ajuEzuDnv:df0Xvx3EM/nk7aYDpJoz0TE8v
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-