General
-
Target
TTXSWIFTXCOPYXX37,000.00.docx.doc
-
Size
10KB
-
Sample
230403-n5rdyaga5t
-
MD5
b6be1d349682bfc62dbf86e68ab8ec4a
-
SHA1
98cbcf6d6d791f8520f8cf78629feac9e01d00fc
-
SHA256
a578c79ee5c97c543e2465e9740d3d827e61bddddbd9807a18a79c269e6cb37c
-
SHA512
e0b765f9bb90310ecefcf7f3ffad1f57d57dbbd58278d4001bff412a748e1152a31918a7ef7b443294f9472c0c4415073176f2000e29f6bb45abb03823d65ddf
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVO995SEzBC4vNq6sM63lb8p:SPXuT+xXOVOBhlqHhw
Static task
static1
Behavioral task
behavioral1
Sample
TTXSWIFTXCOPYXX37,000.00.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
TTXSWIFTXCOPYXX37,000.00.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://00000000000OOOOOLLLLLLLL000000000000LLLLLLLOOOOO00000000000LLLLLLLOOOOO0000000000LLLLL00000000000OOOLLLLLLL@3221468051/x......xx.......doc
Extracted
agenttesla
Protocol: smtp- Host:
mail.mitcomicrons.com - Port:
587 - Username:
tarif@mitcomicrons.com - Password:
mitco#123 - Email To:
obtxxxtf@gmail.com
Targets
-
-
Target
TTXSWIFTXCOPYXX37,000.00.docx.doc
-
Size
10KB
-
MD5
b6be1d349682bfc62dbf86e68ab8ec4a
-
SHA1
98cbcf6d6d791f8520f8cf78629feac9e01d00fc
-
SHA256
a578c79ee5c97c543e2465e9740d3d827e61bddddbd9807a18a79c269e6cb37c
-
SHA512
e0b765f9bb90310ecefcf7f3ffad1f57d57dbbd58278d4001bff412a748e1152a31918a7ef7b443294f9472c0c4415073176f2000e29f6bb45abb03823d65ddf
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVO995SEzBC4vNq6sM63lb8p:SPXuT+xXOVOBhlqHhw
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Suspicious use of SetThreadContext
-