General
-
Target
Wofco BonList3302023.doc
-
Size
30KB
-
Sample
230331-klgtlsad9s
-
MD5
61d8bbf815b071d980aa91c141bfd896
-
SHA1
f65ce51936aa0f68d15b7a43e1eece852d38245e
-
SHA256
22d0b4c2c6256e73bcb60045f47f342465f8d9535c848bf6201730b26cf10f50
-
SHA512
7463e3d33c79ade3cb0b25bdeb2ebfeee4cfe5d8d7873a851925ed04b45450708013a7033abbc42777f333cbc32646941608e620a37c121463d2589d021bcad6
-
SSDEEP
768:nFx0XaIsnPRIa4fwJMyd2AZSKmpGU7hDc9t+SRrygd9YYSli:nf0Xvx3EMyd2KmpG6Dc9tnygd9Y5li
Static task
static1
Behavioral task
behavioral1
Sample
Wofco BonList3302023.rtf
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Wofco BonList3302023.rtf
Resource
win10v2004-20230220-en
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
jaime.jeminez@gmail.com - Password:
pyyyhreafpwghuxn - Email To:
jaime.jeminez@gmail.com
Targets
-
-
Target
Wofco BonList3302023.doc
-
Size
30KB
-
MD5
61d8bbf815b071d980aa91c141bfd896
-
SHA1
f65ce51936aa0f68d15b7a43e1eece852d38245e
-
SHA256
22d0b4c2c6256e73bcb60045f47f342465f8d9535c848bf6201730b26cf10f50
-
SHA512
7463e3d33c79ade3cb0b25bdeb2ebfeee4cfe5d8d7873a851925ed04b45450708013a7033abbc42777f333cbc32646941608e620a37c121463d2589d021bcad6
-
SSDEEP
768:nFx0XaIsnPRIa4fwJMyd2AZSKmpGU7hDc9t+SRrygd9YYSli:nf0Xvx3EMyd2KmpG6Dc9tnygd9Y5li
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-